I am repro'ing with the Docker image (slightly customized, otherwise I would've shared repro steps, working on that), so that helps.
I did some research. alpine:3.17.6 through alpine:3.18.5 appear to all have the same version of openssl1.1-compat-dev <https://github.com/apache/guacamole-server/blob/a575af63ef5b4c8b1804999f211ebeb270992b5a/Dockerfile#L45> (1.1.1u-r1). I'm checking with `apk add --no-cache --simulate openssl1.1-compat-dev`, let me know if that's not to be trusted for some reason. No surprise that it repros when the image is built with something older, like alpine:3.18.2. Nick, even though you can't reproduce it, could you share your openssl version? On Wed, Jan 24, 2024 at 11:00 AM Barnhart, Steven <barnhart....@osu.edu> wrote: > Would be worth using the docker versions and seeing if is present in them > as that is then easy to point to dependencies not being updated. > > –Steve > ------------------------------ > *From:* Weston Thayer <wes...@assistivlabs.com> > *Sent:* Wednesday, January 24, 2024 1:58:14 PM > *To:* user@guacamole.apache.org <user@guacamole.apache.org> > *Subject:* Re: Major bug message log in guacd 1.5.4 > > Running with Nick's theory that it could be something to do with OpenSSL, > could folks who have reproduced it by upgrading ONLY guacd from 1. 5. 3 to > 1. 5. 4 share their OpenSSL versions? Since I can easily reproduce this, I > can employ some > Running with Nick's theory that it could be something to do with OpenSSL, > could folks who have reproduced it by upgrading ONLY guacd from 1.5.3 to > 1.5.4 share their OpenSSL versions? Since I can easily reproduce this, I > can employ some trial & error testing to try and identify the key variable. > > On Wed, Jan 24, 2024 at 9:15 AM Vieri <rentor...@yahoo.com.invalid> wrote: > > > > On Wednesday, January 24, 2024 at 04:01:52 PM GMT+1, Nick Couchman < > vn...@apache.org> wrote: > > > When I say "underlying system" - I mean that I'm not running Docker > containers, I'm installing natively on CentOS7, > > and when I upgraded from 1.5.3 to 1.5.4, I did not update any of the > other dependencies (FreeRDP, SSH, kernel, openSSL, etc.). > > This indicates that the issue isn't guacd itself, but some issue between > guacd + FreeRDP and possibly some > > underlying library (OpenSSL) that is causing the leakage. > > Same here. > I am NOT using docker containers. > As I said, absolutely nothing has changed except for guacd 1.5.4 -> 1.5.3. > No other dependency has been updated or changed. OpenSSL is exactly the > same. All other libs are exactly the same. FreeRDP is left untouched. > > So it could be what you mentioned earlier: guacd 1.5.4 might be using > something in FreeRDP that 1.5.3 wasn't. > Assuming it's FreeRDP that's leaking. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > >