[guacamole-website] branch master updated: Document vulnerability CVE-2018-1340, fixed in 1.0.0.
This is an automated email from the ASF dual-hosted git repository. vnick pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/guacamole-website.git The following commit(s) were added to refs/heads/master by this push: new 114e5e1 Document vulnerability CVE-2018-1340, fixed in 1.0.0. new c222748 Merge document vulnerability CVE-2018-1340, fixed in 1.0.0. 114e5e1 is described below commit 114e5e1f8536d1fd30dc21850ccb79edcf753c87 Author: Michael Jumper AuthorDate: Wed Jan 9 22:29:44 2019 -0800 Document vulnerability CVE-2018-1340, fixed in 1.0.0. --- _security/CVE-2018-1340.md | 13 + 1 file changed, 13 insertions(+) diff --git a/_security/CVE-2018-1340.md b/_security/CVE-2018-1340.md new file mode 100644 index 000..83abb74 --- /dev/null +++ b/_security/CVE-2018-1340.md @@ -0,0 +1,13 @@ +--- +title: Secure flag missing from session cookie +cve: CVE-2018-1340 +fixed: 1.0.0 +--- + +Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the +user's session token. This cookie lacked the "secure" flag, which could allow +an attacker eavesdropping on the network to intercept the user's session token +if unencrypted HTTP requests are made to the same domain. + +Acknowledgements: We would like to thank Ross Golder for reporting this issue. +
[guacamole-website] branch asf-site updated: Deploy documentation of CVE-2018-1340.
This is an automated email from the ASF dual-hosted git repository. mjumper pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/guacamole-website.git The following commit(s) were added to refs/heads/asf-site by this push: new 33c637f Deploy documentation of CVE-2018-1340. 33c637f is described below commit 33c637fe777cb8dd81c84ddfd598251a8a6bf799 Author: Michael Jumper AuthorDate: Wed Jan 23 14:52:25 2019 -0800 Deploy documentation of CVE-2018-1340. --- content/security/index.html | 22 ++ 1 file changed, 22 insertions(+) diff --git a/content/security/index.html b/content/security/index.html index a742e34..5eec905 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -421,6 +421,28 @@ mailing list of the https://www.apache.org/security/";>ASF Security Team the mailto:secur...@guacamole.apache.org";>secur...@guacamole.apache.org mailing list, before disclosing or discussing the issue in a public forum. +Fixed in Apache Guacamole 1.0.0 + + + + + + +Secure flag missing from session cookie +(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340";>CVE-2018-1340) + +Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the +user’s session token. This cookie lacked the “secure” flag, which could allow +an attacker eavesdropping on the network to intercept the user’s session token +if unencrypted HTTP requests are made to the same domain. + +Acknowledgements: We would like to thank Ross Golder for reporting this issue. + + + + + + Fixed in Apache Guacamole 0.9.11-incubating