On Thu, Jul 09, 2015 at 07:49:40PM -0400, Michael DePaulo wrote:
Mike#1,
Can you comment on whether X2Go is affected by this vulnerability? I am not sure how the session brokers handles certs for HTTPS.
https://www.openssl.org/news/secadv_20150709.txt
The research I did for Heartbleed may be relevant: http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed?&#further_details_not_posted_to_the_x2go-announcement_list
-Mike#2
x2go client could be affected when calling the broker via https.
A man in the middle attack is than possible, because the client will not validate the cert from the server correctly.
Bye Henning
-- tarent solutions GmbH Niederlassung Berlin Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ Tel: +49 30 555785-10
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-0 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg