Mike#1,
Can you comment on whether X2Go is affected by this vulnerability? I am not sure how the session brokers handles certs for HTTPS.
https://www.openssl.org/news/secadv_20150709.txt
The research I did for Heartbleed may be relevant: http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed?&#further_details_not_posted_to_the_x2go-announcement_list
-Mike#2
On Thu, Jul 09, 2015 at 07:49:40PM -0400, Michael DePaulo wrote:
Mike#1,
Can you comment on whether X2Go is affected by this vulnerability? I am not sure how the session brokers handles certs for HTTPS.
https://www.openssl.org/news/secadv_20150709.txt
The research I did for Heartbleed may be relevant: http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed?&#further_details_not_posted_to_the_x2go-announcement_list
-Mike#2
x2go client could be affected when calling the broker via https.
A man in the middle attack is than possible, because the client will not validate the cert from the server correctly.
Bye Henning
-- tarent solutions GmbH Niederlassung Berlin Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ Tel: +49 30 555785-10
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-0 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Hi,
----- On 10 Jul, 2015, at 09:14, Henning Heinold h.heinold@tarent.de wrote:
x2go client could be affected when calling the broker via https.
A man in the middle attack is than possible, because the client will not validate the cert from the server correctly.
x2goclient only needs to take action where it bundles OpenSSL, so for example for the Mac binary client and possibly the Windows client. A simple rebuild with updated dependencies should be enough.
-- Clemens Lang
Hi Michael, hi all,
On Fr 10 Jul 2015 13:59:42 CEST, Clemens Lang wrote:
Hi,
----- On 10 Jul, 2015, at 09:14, Henning Heinold h.heinold@tarent.de wrote:
x2go client could be affected when calling the broker via https.
A man in the middle attack is than possible, because the client will not validate the cert from the server correctly.
x2goclient only needs to take action where it bundles OpenSSL, so for example for the Mac binary client and possibly the Windows client. A simple rebuild with updated dependencies should be enough.
/me chimes in with Henning and Clemens. X2Go Client can be affected.
Python X2Go should not be affected, as it does not have any openssl
lib in the dependency tree.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Clemens Lang -
Henning Heinold -
Michael DePaulo -
Mike Gabriel