Hi David, all, while I definitely promote securing systems and updating regularly or even automatically, imho this one is probably just noise for most of us. From https://www.openssl.org/news/vulnerabilities.html#2020-1967 "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. " >From the pure wording (not looking at source code) I conclude: - not relevant with any RDP Server of Microsoft as TLS 1.3 is not generally available for production on Windows yet. - not relevant for anyone using self-signed certificates (of course you should use trusted certificates), though this one is not clear from the note. - not relevant with SSL. - not relevant if your servers (do you trust their managers?) dont send "invalid or unrecognised signature algorithm"(s) - in other words - only relevant if servers are rogue. Probably leaving an attack window if you allow connections to (arbitrary) hosts that you don´t manage as part of your organization. Users of ad-hoc connections are affected, but https://guacamole.apache.org/doc/gug/adhoc-connections.html already warns about "security implications". Or more generalized, whenever you accept user input without proper validation, you are vulnerable to injection attacks. But if I recall your guide, that extension was not installed. With the ad-hoc connection extension it would be interesting to see whether the crash affects just the connection to the rogue server or the entire guacd process.
Or am I confused? I´d suggest to repost security warnings only if there is a likely scenario for exploits. Imho, this one just provides yet another reason not to use ad-hoc connections. And for guides I usually just recommend to use the most recent versions unless you know better. Any other thoughts? Best Regards, Joachim > -----Ursprüngliche Nachricht----- > Von: drhy <[email protected]> > Gesendet: Freitag, 1. Mai 2020 02:14 > An: [email protected] > Betreff: Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step > > The guides in the first post have been updated to use OpenSSL version 1.1.1g > This latest OpenSSL version includes a "high severity fix". > > -David > > > > -- > Sent from: http://apache-guacamole-general-user-mailing- > list.2363388.n4.nabble.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
