RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[rst_pi_sisk10.vi]

Thank you for your reply. 

We will consider upgrading the version.

Thank you,
Tadashi
> -Original Message-
> From: Mike Jumper 
> Sent: Thursday, January 13, 2022 10:19 AM
> To: user@guacamole.apache.org
> Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel
> identifier may be included in the non-private details of active connections
> 
> On Wed, Jan 12, 2022 at 4:52 PM  wrote:
> >
> > Hello,
> >
> > Can this vulnerability be protected by a WAF such as Modseurity?
> >
> 
> I would not recommend relying solely on a WAF to defend against a known issue 
> in
> any application. With the issue in question being patched in the latest 
> release (1.4.0),
> your best option is to upgrade to 1.4.0 and thus deploy the relevant patch.
> 
> - Mike
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Mike Jumper]

On Wed, Jan 12, 2022 at 4:52 PM  wrote:
>
> Hello,
>
> Can this vulnerability be protected by a WAF such as Modseurity?
>

I would not recommend relying solely on a WAF to defend against a
known issue in any application. With the issue in question being
patched in the latest release (1.4.0), your best option is to upgrade
to 1.4.0 and thus deploy the relevant patch.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[rst_pi_sisk10.vi]

Hello,

 

Can this vulnerability be protected by a WAF such as Modseurity?

 

From: Nick Couchman  
Sent: Thursday, January 13, 2022 6:33 AM
To: user@guacamole.apache.org
Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel 
identifier may be included in the non-private details of active connections

 

On Wed, Jan 12, 2022 at 4:28 PM guacatoine mailto:guacamole.to...@placi.de> > wrote:


Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org 
  a écrit :
> Severity: moderate

When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?

 

We do not plan to release patches for lower versions. Essentially, 1.4.0 is the 
patch.

 

If you really need to maintain a lower version, you could try to back-port the 
patch(es) that specifically address the issue to that version, but that's a lot 
of manual work versus just upgrading to the latest version.

 

-Nick

SSH public key auth with safenet etoken?

[pw Foo]

Hi,

I use a etoken for ssh pubkey auth. Ist ist possible to use etoken instead
of key file?

Regards

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Nick Couchman]

On Wed, Jan 12, 2022 at 4:28 PM guacatoine  wrote:

>
> Hello,
>
> Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit :
> > Severity: moderate
>
> When running Apache Guacamole 1.3.0, is the only way of addressing
> CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming
> for one (or more lower) version(s) of Guacamole?
>
>
We do not plan to release patches for lower versions. Essentially, 1.4.0 is
the patch.

If you really need to maintain a lower version, you could try to back-port
the patch(es) that specifically address the issue to that version, but
that's a lot of manual work versus just upgrading to the latest version.

-Nick

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[guacatoine]

Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit :

Severity: moderate


When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?


Thank you,
Toine

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems connecting to RDP server Weston with rdp backend

[Ivanmarcus]

Fernando,

I've seen similar log entries from working systems so I'm not sure it's 
necessarily the issue, however given the uniqueness of your setup I 
agree it'd be good to be able to specify some parameters in order to 
test things further.


That said I don't believe there's any easy way to go about this - you'd 
need to alter the code directly. A couple of pointers on that may be 
obtainable here: 
https://lists.apache.org/list?user@guacamole.apache.org:2021-8:guacd%20pass%20additional%20args 
and here: https://lists.apache.org/thread/0lx5ypm6t0ndwgy0cp8m8nsqp5zmnzdf


Otherwise it may be that others on the list have experience with your 
issue/setup, or are able to provide much more informed assistance.



On 12/01/22 11:56 pm, Fernando C. de Urien y Muñiz wrote:

Hi Ivan,
Thanks for your ideas!
I made some further debugging with remmina and guacamole. I found a 
difference in the connection they establish:


Reminna:

Local framebuffer format  PIXEL_FORMAT_BGRX32
Remote framebuffer format *PIXEL_FORMAT_BGRA32*

Guacd
Jan 12 10:17:06 ip-172-33-33-54 guacd[698589]: Local framebuffer format 
  PIXEL_FORMAT_BGRX32
Jan 12 10:17:06 ip-172-33-33-54 guacd[698589]: Remote framebuffer format 
*PIXEL_FORMAT_RGB16*
I suspect that for some reason guacd is not detecting the "remote 
framebuffer format PIXEL_FORMAT" correctly and that leads to a faulty 
rendering but no idea about how to force it. Is there any setting to 
force BGRA32 for a connection?  (i think the problem is in guacd because 
I am using the same freerdp packages from ubuntu but, of course, not sure)

I built guacd but used the ubuntu packaged freerdp development files.

 >>Having said all that I don't recall seeing much about your Guacamole
 >>installation? I seem to recall some possible issue with graphics if a
 >>proxy is in use,

I thought about that at first but the same guacamole setup is being able 
to connect to a win10 box, 2008r2 box and a ubuntu xrdp box... my 
feeling is that the client is able to render.


thanks,

Fernando

El mié, 12 ene 2022 a las 11:19, Ivanmarcus 
() escribió:


In Remmina, if you've set up a connection, you can edit that connection
to see some of the settings it uses (colour depth for example). You can
also turn on a debug window which may show more - although I've seen
mixed comments on that.

I suppose it's possible you have two or more versions of FreeRDP on
your
system. It could be worth checking that before going too far - to see
what Remmina's using first find the plugin:

dpkg -L remmina-plugin-rdp | fgrep remmina-plugin-rdp.so

(my Ubuntu 18.04 shows
/usr/lib/x86_64-linux-gnu/remmina/plugins/remmina-plugin-rdp.so)

then:

ldd /usr/lib/x86_64-linux-gnu/remmina/plugins/remmina-plugin-rdp.so |
grep libfree

should show the FreeRDP version.

If you compiled Guacamole from scratch you'll know if this is the same
version you introduced then. If it is then you'd generally expect it to
work as it does with Remmina (all commands being equal), if not then
there could be some subtle differences so you'd need to proceed with a
degree of caution.

Note that being the same doesn't necessarily mean that Guacamole must
work, all you're doing at this point is trying to eliminate a few
possible issues so that it's easier to focus closer to where the issue
might lay.

Having said all that I don't recall seeing much about your Guacamole
installation? I seem to recall some possible issue with graphics if a
proxy is in use, so if the problem persists it could be worth checking
that and/or letting is know more about your setup.

One other thing that's also worth doing before going too far is simply
to clear your browser cache - that's caused many a problem in the past.

That probably exhausts my ideas at this point, however going through
these things may well assist others to more readily identify the actual
issue...



On 12/01/22 8:56 pm, Fernando C. de Urien y Muñiz wrote:
 > Hi! Thanks for your answer.
 > Just tried with "remmina/freeRDP" on ubuntu 20.04 (same as guacd
box)
 > and it works.  I already tried to disable catching.
 >
 > is there anyway to see the "settings" that remmina used to
connect so I
 > can "set them up" in guacamole?
 >
 > Thanks!
 > Fernando
 >
 > El mié, 12 ene 2022 a las 3:07, Ivanmarcus
 > () escribió:
 >
 >
 >     Fernando,
 >
 >     I have zero experience of your remote environment, however
perhaps you
 >     could try initially connecting direct with Remmina/FreeRDP
(pref the
 >     same version as you're using for Guacamole)?
 >
 >     If that works then try Guacamole again, specifically
disabling all the
 >     caching options. It may also be worth experimenting with some
different
 >     display settings (eg. true colour etc).
 >
 >  

Re: Feature Request: disable connection sharing without logging out

[Hankins, Jonathan]

(FWIW, in testing the existing functionality out today, I find that when
you click the sharing profile a second time, it generates a new link, but
the first link is not invalidated when this happens, nor is anyone actively
using the link disconnected.)

I think this could be useful in a few ways. One thing that comes to mind is
some Windows terminal server policies may cause a session to log out
immediately on disconnect, and a user who had shared their session may not
want to completely log out just to end the sharing. Another thought -
suppose you had one sharing setting to grant a co-presenter RW access, and
then a second RO share setting that was distributed to each group of
attendees. You are going to do back-to-back sessions and would like to
"kick out" the attendees from the previous session without affecting the
co-presenter.

If generating a new sharing URLs invalidated the previously-generated one
and terminated any active sessions using that URL, it would work, but I
don't know how clearly the current UI would indicate what was happening to
the (primary) user. For example, I expected it to invalidate/disconnect the
previous URL/session when I clicked it a second time, but I wasn't even
sure that clicking it a second time would do anything.

It also might be helpful under the "This connection is now shared" area of
the Guacamole menu to have an indication of whether each share URL is RO or
RW.

I am kind of envisioning a checkbutton next to each sharing setting (in the
Share dropdown) that gives a visual indication of which sharing settings
are active, and a way to "turn them off" which would invalidate the URL and
disconnect the URL. Checking the box again after unchecking it would
generate the new URL, so you are kind of toggling them on and off.

Curious what others think or what use cases they may have.


On Wed, Jan 12, 2022 at 2:06 AM Michael Niehren  wrote:

> Hi,
>
>
> first of all, many thanks for this great software.
>
>
> I missed one thing. Would it be possible to implement that the user can
> disable an provided connection
>
> sharing withoud logging out. Or maybe a button to disable all shared
> connections.
>
> All external users should be automatically disconnected, when the sharing
> end's, in the same way like
>
> disconnecting the session.
>
>
> So someone can use guacamole for a Presentation Meeting and if the meeting
> is over he only disables
>
> the sharing.
>
>
> best regards
>
>   Michael
>
>
> 
> Angaben nach dem EHUG
>
> Firmenname :tuxlan GmbH
> Rechtsform :  GmbH
> Sitz :   Am Waldstadion 32, 66636 Tholey
> Geschäftsführer :  Michael Niehren
> Registergericht :   Saarbrücken, HRB 107090
> 
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Guacamole update: on-screen keyboard and printing

[Vieri]

Hi again,

On the guacamole 1.4.0 server I ran the following test to somehow simulate the 
gs output guacd would expect (I guess):

# pdf2ps guac_print.pdf
    Warning: File has some garbage before %PDF- .
# gs -sDEVICE=pdfwrite -sOutputFile=guac_print_test.pdf guac_print.ps

If I open guac_print_test.pdf I can see the page content just fine.

I have ghostscript-gpl-9.55.0.

So I guess gs is not the issue here.

Any suggestions?


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Remote Desktop Gateway Configuration

[blee]

I am sorry for the late response, but I just wanted to follow-up with how I
resolved my issue in case someone else comes across this same problem.

Connecting via a traditional RDP/MSTSC and using the RDS settings within it
helped troubleshoot the issue.  I was actually putting all of the
information in correctly, for the most part, however the real problem was
permissions.  Here is one of the errors I found:

Dec 15 13:37:58 guacamole guacd[99179]: FreeRDP initialization may fail:
The current user's home directory ("/sbin") is not writable, but FreeRDP
generally requires a writable home directory for storage of configuration
files and certificates.
Dec 15 13:37:58 guacamole guacd: guacd[99179]: WARNING:#011FreeRDP
initialization may fail: The current user's home directory ("/sbin") is not
writable, but FreeRDP generally requires a writable home directory for
storage of configuration files and certificates.

I was running guacd as a user that did not have permissions to write to the
directory.  Once I changed that, it all worked perfect and I was able to
connect via RDS.  Thank you for the help.


On Tue, Dec 21, 2021 at 8:36 AM Tyler Marcotte  wrote:

> Have you tried connecting with traditional RDP from your laptop first to
> make sure it's working? In guacamole you need to specify both the PC you're
> trying to RDP into and the RDP gateway in the connection configuration. I
> use FQDN for both personally.
>
> On Sun, Dec 19, 2021 at 8:59 PM blee  wrote:
>
>> I have a 2019 Remote Desktop Gateway and Broker on the same server and am
>> attempting to configure Guacamole (1.3) to connect to a Session Host via
>> the Gateway/Broker.  Assume my Gateway/Broker IP is 192.168.1.1 and I can
>> connect to the traditional Gateway via https://192.168.1.1/RDWeb, and
>> the line in my RDP file for the load-balance-info parameter is
>>
>> loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Test_RDP
>>
>> After reading the manual, I believe I entered in all of the information
>> correctly in my configuration file, but I am still not able to connect with
>> one of the lines in my error log being:
>>
>> guacd[28097]: INFO: RDP server closed/refused connection: Upstream
>> error.
>>
>> Can I get some guidance on what fields need to be entered as well as the
>> values to enable connecting through the Broker?  For example, what part of
>> the string should I use for the load-balance-info parameter?  Can the
>> Hostname for the Remote Desktop Gateway be an IP or does it need to be an
>> FQDN?
>>
>> I went through a large portion of the mailing list archives to find a
>> similar topic and had difficulties.  Any help would be appreciated.
>>
>>

Re: Problems connecting to RDP server Weston with rdp backend

[Fernando C . de Urien y Muñiz]

Hi Ivan,
Thanks for your ideas!
I made some further debugging with remmina and guacamole. I found a
difference in the connection they establish:

Reminna:

Local framebuffer format  PIXEL_FORMAT_BGRX32
Remote framebuffer format *PIXEL_FORMAT_BGRA32*

Guacd
Jan 12 10:17:06 ip-172-33-33-54 guacd[698589]: Local framebuffer format
 PIXEL_FORMAT_BGRX32
Jan 12 10:17:06 ip-172-33-33-54 guacd[698589]: Remote framebuffer format
*PIXEL_FORMAT_RGB16*

I suspect that for some reason guacd is not detecting the "remote
framebuffer format PIXEL_FORMAT" correctly and that leads to a faulty
rendering but no idea about how to force it. Is there any setting to force
BGRA32 for a connection?  (i think the problem is in guacd because I am
using the same freerdp packages from ubuntu but, of course, not sure)
I built guacd but used the ubuntu packaged freerdp development files.

>>Having said all that I don't recall seeing much about your Guacamole
>>installation? I seem to recall some possible issue with graphics if a
>>proxy is in use,

I thought about that at first but the same guacamole setup is being able to
connect to a win10 box, 2008r2 box and a ubuntu xrdp box... my feeling is
that the client is able to render.

thanks,

Fernando

El mié, 12 ene 2022 a las 11:19, Ivanmarcus ()
escribió:

> In Remmina, if you've set up a connection, you can edit that connection
> to see some of the settings it uses (colour depth for example). You can
> also turn on a debug window which may show more - although I've seen
> mixed comments on that.
>
> I suppose it's possible you have two or more versions of FreeRDP on your
> system. It could be worth checking that before going too far - to see
> what Remmina's using first find the plugin:
>
> dpkg -L remmina-plugin-rdp | fgrep remmina-plugin-rdp.so
>
> (my Ubuntu 18.04 shows
> /usr/lib/x86_64-linux-gnu/remmina/plugins/remmina-plugin-rdp.so)
>
> then:
>
> ldd /usr/lib/x86_64-linux-gnu/remmina/plugins/remmina-plugin-rdp.so |
> grep libfree
>
> should show the FreeRDP version.
>
> If you compiled Guacamole from scratch you'll know if this is the same
> version you introduced then. If it is then you'd generally expect it to
> work as it does with Remmina (all commands being equal), if not then
> there could be some subtle differences so you'd need to proceed with a
> degree of caution.
>
> Note that being the same doesn't necessarily mean that Guacamole must
> work, all you're doing at this point is trying to eliminate a few
> possible issues so that it's easier to focus closer to where the issue
> might lay.
>
> Having said all that I don't recall seeing much about your Guacamole
> installation? I seem to recall some possible issue with graphics if a
> proxy is in use, so if the problem persists it could be worth checking
> that and/or letting is know more about your setup.
>
> One other thing that's also worth doing before going too far is simply
> to clear your browser cache - that's caused many a problem in the past.
>
> That probably exhausts my ideas at this point, however going through
> these things may well assist others to more readily identify the actual
> issue...
>
>
>
> On 12/01/22 8:56 pm, Fernando C. de Urien y Muñiz wrote:
> > Hi! Thanks for your answer.
> > Just tried with "remmina/freeRDP" on ubuntu 20.04 (same as guacd box)
> > and it works.  I already tried to disable catching.
> >
> > is there anyway to see the "settings" that remmina used to connect so I
> > can "set them up" in guacamole?
> >
> > Thanks!
> > Fernando
> >
> > El mié, 12 ene 2022 a las 3:07, Ivanmarcus
> > () escribió:
> >
> >
> > Fernando,
> >
> > I have zero experience of your remote environment, however perhaps
> you
> > could try initially connecting direct with Remmina/FreeRDP (pref the
> > same version as you're using for Guacamole)?
> >
> > If that works then try Guacamole again, specifically disabling all
> the
> > caching options. It may also be worth experimenting with some
> different
> > display settings (eg. true colour etc).
> >
> > If perchance a direct FreeRDP connection doesn't work I suspect
> > Guacamole won't either, until whatever impediment is resolved.
> However
> > in that instance it should narrow things down somewhat and hopefully
> > make it a little easier to resolve.
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > 
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> > 
> >
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Problems connecting to RDP server Weston with rdp backend

[Ivanmarcus]

In Remmina, if you've set up a connection, you can edit that connection 
to see some of the settings it uses (colour depth for example). You can 
also turn on a debug window which may show more - although I've seen 
mixed comments on that.


I suppose it's possible you have two or more versions of FreeRDP on your 
system. It could be worth checking that before going too far - to see 
what Remmina's using first find the plugin:


dpkg -L remmina-plugin-rdp | fgrep remmina-plugin-rdp.so

(my Ubuntu 18.04 shows 
/usr/lib/x86_64-linux-gnu/remmina/plugins/remmina-plugin-rdp.so)


then:

ldd /usr/lib/x86_64-linux-gnu/remmina/plugins/remmina-plugin-rdp.so | 
grep libfree


should show the FreeRDP version.

If you compiled Guacamole from scratch you'll know if this is the same 
version you introduced then. If it is then you'd generally expect it to 
work as it does with Remmina (all commands being equal), if not then 
there could be some subtle differences so you'd need to proceed with a 
degree of caution.


Note that being the same doesn't necessarily mean that Guacamole must 
work, all you're doing at this point is trying to eliminate a few 
possible issues so that it's easier to focus closer to where the issue 
might lay.


Having said all that I don't recall seeing much about your Guacamole 
installation? I seem to recall some possible issue with graphics if a 
proxy is in use, so if the problem persists it could be worth checking 
that and/or letting is know more about your setup.


One other thing that's also worth doing before going too far is simply 
to clear your browser cache - that's caused many a problem in the past.


That probably exhausts my ideas at this point, however going through 
these things may well assist others to more readily identify the actual 
issue...




On 12/01/22 8:56 pm, Fernando C. de Urien y Muñiz wrote:

Hi! Thanks for your answer.
Just tried with "remmina/freeRDP" on ubuntu 20.04 (same as guacd box) 
and it works.  I already tried to disable catching.


is there anyway to see the "settings" that remmina used to connect so I 
can "set them up" in guacamole?


Thanks!
Fernando

El mié, 12 ene 2022 a las 3:07, Ivanmarcus 
() escribió:



Fernando,

I have zero experience of your remote environment, however perhaps you
could try initially connecting direct with Remmina/FreeRDP (pref the
same version as you're using for Guacamole)?

If that works then try Guacamole again, specifically disabling all the
caching options. It may also be worth experimenting with some different
display settings (eg. true colour etc).

If perchance a direct FreeRDP connection doesn't work I suspect
Guacamole won't either, until whatever impediment is resolved. However
in that instance it should narrow things down somewhat and hopefully
make it a little easier to resolve.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org

For additional commands, e-mail: user-h...@guacamole.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Building an extension module: guacamole-ext 1.4.0 not found

[Joachim Lindenberg]

Hello Nick, all,

when switching to 1.4 I had to fiddle with permissions of my extensions in the 
docker containers. I guess the user for the containers changed, but I didn´t 
really analyze in detail.

Thanks for the good work!

Joachim

 

Von: Nick Couchman  
Gesendet: Tuesday, 11 January 2022 22:22
An: user@guacamole.apache.org
Betreff: Re: Building an extension module: guacamole-ext 1.4.0 not found

 

On Tue, Jan 11, 2022 at 4:11 PM Dustin Lang mailto:dstnd...@gmail.com> > wrote:

Hi,

 

I'm trying to update my custom authentication module to use 1.4.0.

 

In my pom.xml I first tried just changing the 1.3.0 to 1.4.0, that didn't work, 
then I re-read the manual 
(https://guacamole.apache.org/doc/gug/custom-auth.html), copy-pasting the 
suggested pom.xml, and that also fails.  If I edit the 1.4.0 to 1.3.0, it works.

 

Below, it looks like maven is looking for "guacamole-client" instead of 
"guacamole-ext" ... I have no idea why that would be!  Nothing in my directory 
contains the string "guacamole-client"  I tried removing my ~/.m2 
directory, no effect.  I'm new to all this, so apologies if this is something 
naive I'm doing wrong.

 

 

I think there's an issue that's been identified with Maven artifacts, and the 
guacamole-client one is missing. You can solve this in one of two ways:

1) Just use the 1.3.0 extension with the 1.4.0 Guacamole Client install - it 
should work, unless there's something specific from 1.4.0 that you're trying to 
leverage.

2) Build the entire Guacamole Client code on the system where you're trying to 
build that module, which should give you the JAR artifacts you need.

 

-Nick

Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

[Mike Jumper]

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri  wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: high
> >
> > Description:
> >
> > Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> > received from a SAML identity provider. If SAML support is enabled,
> > this may allow a malicious user to assume the identity of another
> > Guacamole user.
> >
> > Credit:
> >
> > We would like to thank Finn Steglich (ETAS) for reporting this issue.
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The SAML authentication extension for the webapp.

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Mike Jumper]

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri  wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: moderate
> >
> > Description:
> >
> > Apache Guacamole 1.3.0 and older may incorrectly include a private
> > tunnel identifier in the non-private details of some REST responses.
> > This may allow an authenticated user who already has permission to
> > access a particular connection to read from or interact with another
> > user's active use of that same connection.
> >
> > Credit:
> >
> > We would like to thank Damian Velardo (Australia and New Zealand
> > Banking Group) for reporting this issue.
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The web application (.war).

- Mike

Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

[Jürgen Kuri]

El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: high
> 
> Description:
> 
> Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> received from a SAML identity provider. If SAML support is enabled,
> this may allow a malicious user to assume the identity of another
> Guacamole user.
> 
> Credit:
> 
> We would like to thank Finn Steglich (ETAS) for reporting this issue.
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Jürgen Kuri]

El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: moderate
> 
> Description:
> 
> Apache Guacamole 1.3.0 and older may incorrectly include a private
> tunnel identifier in the non-private details of some REST responses.
> This may allow an authenticated user who already has permission to
> access a particular connection to read from or interact with another
> user's active use of that same connection.
> 
> Credit:
> 
> We would like to thank Damian Velardo (Australia and New Zealand
> Banking Group) for reporting this issue.
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Feature Request: disable connection sharing without logging out

[Michael Niehren]

Hi,



first of all, many thanks for this great software.



I missed one thing. Would it be possible to implement that the user can disable 
an provided connection

sharing withoud logging out. Or maybe a button to disable all shared 
connections.

All external users should be automatically disconnected, when the sharing 
end's, in the same way like

disconnecting the session.



So someone can use guacamole for a Presentation Meeting and if the meeting is 
over he only disables

the sharing.



best regards

  Michael






Angaben nach dem EHUG

Firmenname :tuxlan GmbH
Rechtsform :  GmbH
Sitz :   Am Waldstadion 32, 66636 Tholey
Geschäftsführer :  Michael Niehren
Registergericht :   Saarbrücken, HRB 107090