[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2019-02-02 8:12:26
Message-ID: 20190202081226.GA25332 () eldamar ! local
[Download RAW message or body]

Hi Mike,

On Fri, Feb 01, 2019 at 07:24:48PM -0800, Mike Jumper wrote:
> On Fri, Feb 1, 2019, 04:27 Salvatore Bonaccorso <carnil@debian.org wrote:
> 
> > Hi Mike,
> >
> > On Wed, Jan 23, 2019 at 02:21:30PM -0800, Mike Jumper wrote:
> > > CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
> > >
> > > Versions affected:
> > > Apache Guacamole 0.9.4 through 0.9.14
> > >
> > > Description:
> > > Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
> > > of the user's session token. This cookie lacked the "secure" flag,
> > > which could allow an attacker eavesdropping on the network to
> > > intercept the user's session token if unencrypted HTTP requests are
> > > made to the same domain.
> > >
> > > Mitigation:
> > > Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.
> > >
> > > Credit:
> > > We would like to thank Ross Golder for reporting this issue.
> >
> > Would it be possible to confirm, is this
> > https://issues.apache.org/jira/browse/GUACAMOLE-549
> > https://github.com/apache/guacamole-client/commit/884a9c0ee987f9cb49a69
> > ?
> >
> 
> That is the correct JIRA issue, yes, however there are multiple relevant
> commits.
> 
> With respect to the security aspect of the changes, the relevant pull
> request is:
> 
> https://github.com/apache/guacamole-client/pull/273
> 
> There are other relevant pull requests, though they deal mainly with
> eliminating cookies entirely:
> 
> https://github.com/apache/guacamole-client/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aclosed+GUACAMOLE-549

Thanks a lot!

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]