Apache has issued an advisory today (January 18): https://www.openwall.com/lists/oss-security/2021/01/18/1 I'm not entirely sure whether the server, client, or both are affected. guacd (server) is in Cauldron and Mageia 7, guacamole-client only in Mageia 7. The issue is fixed upstream in 1.3.0.
Status comment: (none) => Fixed upstream in 1.3.0Whiteboard: (none) => MGA7TOO
cauldron Freeze push asked.
CC: (none) => mageia
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => mageia
fixed in cauldron
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
new guacd available on mga 7 updates_testing. It has 2 packages: util-linux and ossp_uuid They are nedeed because before the 2 were conflicting, now they are like in cauldron coinstallable. ( as guacd needs ossp_uuid ).
Assignee: mageia => qa-bugs
sorry i only pushed 1.2.0. I will look if i can push 1.3.0
Assignee: qa-bugs => mageia
src: guacd-1.3.0-1.mga7
Blocks: (none) => 27593
What about guacamole-client? Also, it looks like three packages (at least) and three bugs are involved. We need more of an explanation of what all is being updated, as well as a package list.
yes sorry it was on the other bugreport. src: guacd-1.3.0-1.mga7 util-linux-2.33.2-1.1.mga7 ossp_uuid-1.6.2-21.1.mga7 rpms: guacd-1.3.0-1.mga7 libguac-client-kubernetes0-1.3.0-1.mga7 libguac-client-telnet0-1.3.0-1.mga7 libguac-devel-1.3.0-1.mga7 libguac19-1.3.0-1.mga7 libguac-client-ssh0-1.3.0-1.mga7 libguac-client-vnc0-1.3.0-1.mga7 libblkid1-2.33.2-1.1.mga7 libmount1-2.33.2-1.1.mga7 libuuid1-2.33.2-1.1.mga7 uuidd-2.33.2-1.1.mga7 libblkid-devel-2.33.2-1.1.mga7 libmount-devel-2.33.2-1.1.mga7 libuuid-devel-2.33.2-1.1.mga7 libfdisk1-2.33.2-1.1.mga7 libsmartcols1-2.33.2-1.1.mga7 python-libmount-2.33.2-1.1.mga7 libfdisk-devel-2.33.2-1.1.mga7 libsmartcols-devel-2.33.2-1.1.mga7 util-linux-2.33.2-1.1.mga7 libossp_uuid16-1.6.2-21.1.mga7 libossp_uuid-devel-1.6.2-21.1.mga7 ossp_uuid-1.6.2-21.1.mga7 perl-OSSP-uuid-1.6.2-21.1.mga7 Advisory: This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co instalable as guacd requires ossp_uuid. Guacamole client can't be updated as it is in java and we don't have the required deps. what about creating a metapackage with README.urpmi explaining ho to install it from guacamole website ?
Did you verify which package is actually affected by the CVE in this bug?
this is guacd: https://security-tracker.debian.org/tracker/CVE-2020-11997
Will need a more fleshed out advisory, but this update will fix: https://bugs.mageia.org/show_bug.cgi?id=24509 https://bugs.mageia.org/show_bug.cgi?id=27593 https://bugs.mageia.org/show_bug.cgi?id=28158
Summary: guacd / guacamole-client new security issue CVE-2020-11997 => guacd new security issue CVE-2020-11997Status comment: Fixed upstream in 1.3.0 => (none)Source RPM: guacd-1.2.0-1.mga8.src.rpm, guacamole-client-0.9.8-5.mga7.src.rpm => guacd-0.6.0-5.mga7.src.rpm
MGA7-64 MATE on PeaqC1011 No installation issues. At CLI: # systemctl -l status guacd ● guacd.service - Guacamole proxy daemon Loaded: loaded (/usr/lib/systemd/system/guacd.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:guacd(8) # systemctl start guacd # systemctl -l status guacd ● guacd.service - Guacamole proxy daemon Loaded: loaded (/usr/lib/systemd/system/guacd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-02-18 11:27:18 CET; 5s ago Docs: man:guacd(8) Main PID: 13672 (guacd) Tasks: 1 (limit: 2285) Memory: 10.5M CGroup: /system.slice/guacd.service └─13672 /usr/sbin/guacd -f Feb 18 11:27:18 mach7.hviaene.thuis systemd[1]: Started Guacamole proxy daemon. Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: Guacamole proxy daemon (guacd) version 1.3.0 started Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: guacd[13672]: INFO: Guacamole proxy daemon (guacd) version 1.3.0 started Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: guacd[13672]: INFO: Listening on host 127.0.0.1, port 4822 Feb 18 11:27:18 mach7.hviaene.thuis guacd[13672]: Listening on host 127.0.0.1, port 4822 Now trying to do something with it. Googled "tutorial guacd" and found https://www.howtoforge.com/how-to-install-and-configure-guacamole-on-ubuntu-1804/ and https://guacamole.apache.org/doc/gug/users-guide.html I wish whoever wants to try this good luck.
CC: (none) => herman.viaene
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340) Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. (CVE-2020-9498). References: https://bugs.mageia.org/show_bug.cgi?id=28158 https://bugs.mageia.org/show_bug.cgi?id=24509 https://bugs.mageia.org/show_bug.cgi?id=27593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/ https://www.openwall.com/lists/oss-security/2021/01/18/1 ======================== Updated package in core/updates_testing: ======================== guacd-1.3.0-1.mga7 libguac-client-kubernetes0-1.3.0-1.mga7 libguac-client-telnet0-1.3.0-1.mga7 libguac19-1.3.0-1.mga7 libguac-client-ssh0-1.3.0-1.mga7 libguac-client-vnc0-1.3.0-1.mga7 libblkid1-2.33.2-1.1.mga7 libmount1-2.33.2-1.1.mga7 libuuid1-2.33.2-1.1.mga7 uuidd-2.33.2-1.1.mga7 libblkid-devel-2.33.2-1.1.mga7 libuuid-devel-2.33.2-1.1.mga7 libfdisk1-2.33.2-1.1.mga7 libsmartcols1-2.33.2-1.1.mga7 python-libmount-2.33.2-1.1.mga7 libfdisk-devel-2.33.2-1.1.mga7 libsmartcols-devel-2.33.2-1.1.mga7 util-linux-2.33.2-1.1.mga7 libossp_uuid16-1.6.2-21.1.mga7 libossp_uuid-devel-1.6.2-21.1.mga7 ossp_uuid-1.6.2-21.1.mga7 perl-OSSP-uuid-1.6.2-21.1.mga7 from SRPM: guacd-1.3.0-1.mga7 util-linux-2.33.2-1.1.mga7 ossp_uuid-1.6.2-21.1.mga7
CVE: (none) => CVE-2020-11997
Suggested advisory is missing the CVE from this bug and an explanation for the other updated packages.
(In reply to David Walser from comment #14) > Suggested advisory is missing the CVE from this bug and an explanation for > the other updated packages. Oh yes, fixing it: Suggested advisory: ======================== The updated packages fix security vulnerabilities: Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340) Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. (CVE-2020-9498). Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users. (CVE-2020-11997). This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co uninstallable as guacd requires ossp_uuid. References: https://bugs.mageia.org/show_bug.cgi?id=28158 https://bugs.mageia.org/show_bug.cgi?id=24509 https://bugs.mageia.org/show_bug.cgi?id=27593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/ https://www.openwall.com/lists/oss-security/2021/01/18/1 ======================== Updated package in core/updates_testing: ======================== guacd-1.3.0-1.mga7 libguac-client-kubernetes0-1.3.0-1.mga7 libguac-client-telnet0-1.3.0-1.mga7 libguac19-1.3.0-1.mga7 libguac-client-ssh0-1.3.0-1.mga7 libguac-client-vnc0-1.3.0-1.mga7 libblkid1-2.33.2-1.1.mga7 libmount1-2.33.2-1.1.mga7 libuuid1-2.33.2-1.1.mga7 uuidd-2.33.2-1.1.mga7 libblkid-devel-2.33.2-1.1.mga7 libuuid-devel-2.33.2-1.1.mga7 libfdisk1-2.33.2-1.1.mga7 libsmartcols1-2.33.2-1.1.mga7 python-libmount-2.33.2-1.1.mga7 libfdisk-devel-2.33.2-1.1.mga7 libsmartcols-devel-2.33.2-1.1.mga7 util-linux-2.33.2-1.1.mga7 libossp_uuid16-1.6.2-21.1.mga7 libossp_uuid-devel-1.6.2-21.1.mga7 ossp_uuid-1.6.2-21.1.mga7 perl-OSSP-uuid-1.6.2-21.1.mga7 from SRPM: guacd-1.3.0-1.mga7 util-linux-2.33.2-1.1.mga7 ossp_uuid-1.6.2-21.1.mga7
CVE: CVE-2020-11997 => CVE-2018-1340, CVE-2020-9497, CVE-2020-9498, CVE-2020-11997
not This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co uninstallable as guacd requires ossp_uuid. but This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid. we want them "co installable"
Oh the messed up typo there... thanks pinpoint it! Really fixing it now: Suggested advisory: ======================== The updated packages fix security vulnerabilities: Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340) Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. (CVE-2020-9498). Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users. (CVE-2020-11997). This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid. References: https://bugs.mageia.org/show_bug.cgi?id=28158 https://bugs.mageia.org/show_bug.cgi?id=24509 https://bugs.mageia.org/show_bug.cgi?id=27593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/ https://www.openwall.com/lists/oss-security/2021/01/18/1 ======================== Updated package in core/updates_testing: ======================== guacd-1.3.0-1.mga7 libguac-client-kubernetes0-1.3.0-1.mga7 libguac-client-telnet0-1.3.0-1.mga7 libguac19-1.3.0-1.mga7 libguac-client-ssh0-1.3.0-1.mga7 libguac-client-vnc0-1.3.0-1.mga7 libblkid1-2.33.2-1.1.mga7 libmount1-2.33.2-1.1.mga7 libuuid1-2.33.2-1.1.mga7 uuidd-2.33.2-1.1.mga7 libblkid-devel-2.33.2-1.1.mga7 libuuid-devel-2.33.2-1.1.mga7 libfdisk1-2.33.2-1.1.mga7 libsmartcols1-2.33.2-1.1.mga7 python-libmount-2.33.2-1.1.mga7 libfdisk-devel-2.33.2-1.1.mga7 libsmartcols-devel-2.33.2-1.1.mga7 util-linux-2.33.2-1.1.mga7 libossp_uuid16-1.6.2-21.1.mga7 libossp_uuid-devel-1.6.2-21.1.mga7 ossp_uuid-1.6.2-21.1.mga7 perl-OSSP-uuid-1.6.2-21.1.mga7 from SRPM: guacd-1.3.0-1.mga7 util-linux-2.33.2-1.1.mga7 ossp_uuid-1.6.2-21.1.mga7
I took a stab at this without successfully getting it to work. Seems to be a major project. Everything appeared to install - had to install a ton of stuff. Note the guac tool requires tomcat and did not have a dependency. I had to manually choose that. installs, but I could not validate. --- - Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 16 packages are going to be installed: - glibc-2.29-22.mga7.x86_64 - guacd-1.3.0-1.mga7.x86_64 - lib64blkid1-2.33.2-1.1.mga7.x86_64 - lib64guac-client-ssh0-1.3.0-1.mga7.x86_64 - lib64guac-client-telnet0-1.3.0-1.mga7.x86_64 - lib64guac-client-vnc0-1.3.0-1.mga7.x86_64 - lib64guac19-1.3.0-1.mga7.x86_64 - lib64mount1-2.33.2-1.1.mga7.x86_64 - lib64ossp_uuid16-1.6.2-21.1.mga7.x86_64 - lib64smartcols1-2.33.2-1.1.mga7.x86_64 - lib64telnet2-0.21-7.mga7.x86_64 - lib64uuid1-2.33.2-1.1.mga7.x86_64 - lib64vncserver1-0.9.13-1.mga7.x86_64 - ossp_uuid-1.6.2-21.1.mga7.x86_64 - perl-OSSP-uuid-1.6.2-21.1.mga7.x86_64 - util-linux-2.33.2-1.1.mga7.x86_64 1.7MB of additional disk space will be used. Installed a bunch more for the server then added the following The following 61 packages are going to be installed: - aopalliance-1.0-16.mga7.noarch - apache-commons-codec-1.11-2.mga7.noarch - atinject-1-21.20100611svn86.6.mga7.noarch - bea-stax-api-1.2.0-16.mga7.noarch - bytelist-1.0.8-14.mga7.noarch - cglib-3.2.4-4.mga7.noarch - freemarker-2.3.28-2.mga7.noarch - geronimo-annotation-1.0-21.mga7.noarch - geronimo-interceptor-1.0.1-17.mga7.noarch - geronimo-validation-1.1-17.mga7.noarch - glassfish-fastinfoset-1.2.13-8.mga7.noarch - glassfish-gmbal-3.2.0-0.9.b006.mga7.noarch - glassfish-jaxb-api-2.2.12-8.mga7.noarch - glassfish-jaxb-core-2.2.11-8.mga7.noarch - glassfish-jaxb-runtime-2.2.11-8.mga7.noarch - glassfish-jaxb-txw2-2.2.11-8.mga7.noarch - glassfish-management-api-3.2.1-0.3.b005.mga7.noarch - glassfish-pfl-3.2.0-0.10.b004.mga7.noarch - glassfish-servlet-api-3.1.0-13.mga7.noarch - google-guice-4.1-9.mga7.noarch - grizzly-2.3.24-3.mga7.noarch - guacamole-0.9.8-5.mga7.noarch - guava20-20.0-3.mga7.noarch - guice-servlet-4.1-9.mga7.noarch - hibernate-jpa-2.0-api-1.0.1-20.mga7.noarch - httpcomponents-client-4.5.5-1.1.mga7.noarch - httpcomponents-core-4.4.10-1.mga7.noarch - istack-commons-runtime-2.21-7.mga7.noarch - jackson-1.9.11-14.mga7.noarch - jakarta-commons-httpclient-3.1-26.mga7.noarch - jboss-el-2.2-api-1.0.2-7.mga7.noarch - jcodings-1.0.9-12.mga7.noarch - jersey1-1.19-10.mga7.noarch - jersey1-contribs-1.19-10.mga7.noarch - jettison-1.3.7-5.mga7.noarch - joda-time-2.9.9-3.tzdata2017b.1.mga7.noarch - jquery-1.12.4-1.mga6.noarch - jsr-311-1.1.1-14.mga7.noarch - liblog4j12-java-1.2.17-19.mga7.noarch - logback-1.1.7-3.mga7.noarch - mimepull-1.9.6-5.mga7.noarch - objectweb-asm-6.2.1-4.mga7.noarch - objectweb-asm3-3.3.1-15.mga7.noarch - publicsuffix-list-20190417-1.mga7.noarch - relaxngDatatype-2011.1-6.mga7.noarch - slf4j-1.7.25-1.mga7.noarch - slf4j-jcl-1.7.25-1.mga7.noarch - springframework-3.2.18-2.mga7.noarch - springframework-aop-3.2.18-2.mga7.noarch - springframework-beans-3.2.18-2.mga7.noarch - springframework-context-3.2.18-2.mga7.noarch - springframework-expression-3.2.18-2.mga7.noarch - springframework-web-3.2.18-2.mga7.noarch - stax-ex-1.7.7-8.mga7.noarch - stax2-api-4.0.0-1.mga7.noarch - web-assets-filesystem-5-4.mga7.noarch - xalan-j2-2.7.1-35.mga7.noarch - xerces-j2-2.11.0-29.mga7.noarch - xml-commons-resolver-1.2-22.mga7.noarch - xmlstreambuffer-1.5.4-7.mga7.noarch - xsom-0-15.20110809svn.3.mga7.noarch
CC: (none) => brtians1Whiteboard: (none) => feedback
I also finally got around to starting testing ... On M7 i586 libossp_uuid-devel-1.6.2-21.mga7.i586 (due to conflicts with libuuid-devel-2.33.2-1.mga7.i586) On M7 x86_64 A requested package cannot be installed: lib64ossp_uuid-devel-1.6.2-21.mga7.x86_64 (due to conflicts with lib64uuid-devel-2.33.2-1.mga7.x86_64)
CC: (none) => davidwhodgins
Those are supposed to conflict. Remove whichever one you have installed.
(In reply to David Walser from comment #20) > Those are supposed to conflict. Remove whichever one you have installed. they were, this is supposed to be fixed.
Just realized the error I found was while I was installing the pre-update packages in preparation for ensuring a clean update. I'll force the packages to install and then test the update later today after I get some sleep. Sorry for the mistake.
Not sure why feedback is still on here, this looks like it should be pushed.
Whiteboard: feedback => (none)
(In reply to David Walser from comment #23) > Not sure why feedback is still on here, this looks like it should be pushed. Validating.
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
Blocks: (none) => 24509
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0272.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED