[X2Go-Dev] X2Go & OpenSSL CVE-2015-1793 "Alternative chains certificate forgery"
Henning Heinold
h.heinold at tarent.de
Fri Jul 10 09:14:23 CEST 2015
On Thu, Jul 09, 2015 at 07:49:40PM -0400, Michael DePaulo wrote:
> Mike#1,
>
> Can you comment on whether X2Go is affected by this vulnerability? I
> am not sure how the session brokers handles certs for HTTPS.
>
> https://www.openssl.org/news/secadv_20150709.txt
>
> The research I did for Heartbleed may be relevant:
> http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed?&#further_details_not_posted_to_the_x2go-announcement_list
>
> -Mike#2
x2go client could be affected when calling the broker via https.
A man in the middle attack is than possible, because the client will
not validate the cert from the server correctly.
Bye Henning
--
tarent solutions GmbH Niederlassung Berlin
Voltastraße 5, D-13355 Berlin • http://www.tarent.de/
Tel: +49 30 555785-10
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-0 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
More information about the x2go-dev
mailing list