Hi Mike, Would the recent CVE's be able to affect a guacserver that did not have the guacsnd.so and guaccdr.so linked in? (ie no sound and redirection functional)?
danielm -----Original Message----- From: Mike Jumper <[email protected]> Sent: Wednesday, July 1, 2020 11:14 PM To: [email protected]; [email protected]; [email protected]; [email protected] Cc: [email protected]; [email protected] Subject: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels CVE-2020-9497: Improper input validation of RDP static virtual channels Versions affected: Apache Guacamole 1.1.0 and earlier Description: Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
