Apache has issued advisories today (January 11): https://www.openwall.com/lists/oss-security/2022/01/11/6 https://www.openwall.com/lists/oss-security/2022/01/11/7 I'm not entirely sure whether the server, client, or both are affected. guacd (server) is in Cauldron and Mageia 8, guacamole-client only in Mageia 7.
Whiteboard: (none) => MGA8TOO
I assume these are fixed upstream in 1.4.0: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P3X6KYVDMURCDFATPNFFLFQ4TBMRSXU5/
Apache has issued advisories on June 6: https://www.openwall.com/lists/oss-security/2023/06/06/1 https://www.openwall.com/lists/oss-security/2023/06/06/2 The issues are fixed upstream in 1.5.2.
Summary: guacd new security issues CVE-2021-41767 and CVE-2021-43999 => guacd new security issues CVE-2021-41767, CVE-2021-43999, CVE-2023-3057[56]
We have currently guacd 1.5.1 in caudron according to https://guacamole.apache.org/security/ Fixed in Apache Guacamole 1.4.0 Improper validation of SAML responses (CVE-2021-43999) Private tunnel identifier may be included in the non-private details of active connections (CVE-2021-41767) Thus we still need 1.5.2
CC: (none) => yves.brungard_mageia
guacd build in 1.5.2 (cauldron testing): guacd-1.5.2-1.mga9 lib64guac-client-rdp0-1.5.2-1.mga9 lib64guac-terminal0-1.5.2-1.mga9 guacd-client-rdp-1.5.2-1.mga9 lib64guac21-1.5.2-1.mga9 lib64guac-client-telnet0-1.5.2-1.mga9 lib64guac-client-kubernetes0-1.5.2-1.mga9 lib64guac-client-vnc0-1.5.2-1.mga9 lib64guac-client-ssh0-1.5.2-1.mga9 lib64guac-devel-1.5.2-1.mga9
Cauldron updated
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Mageia 8 EOL
Resolution: (none) => OLDCC: (none) => nicolas.salgueroStatus: NEW => RESOLVED