On Thu, Jul 09, 2015 at 07:49:40PM -0400, Michael DePaulo wrote: > Mike#1, > > Can you comment on whether X2Go is affected by this vulnerability? I > am not sure how the session brokers handles certs for HTTPS. > > https://www.openssl.org/news/secadv_20150709.txt > > The research I did for Heartbleed may be relevant: > http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed?&#further_details_not_posted_to_the_x2go-announcement_list > > -Mike#2
x2go client could be affected when calling the broker via https. A man in the middle attack is than possible, because the client will not validate the cert from the server correctly. Bye Henning -- tarent solutions GmbH Niederlassung Berlin Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ Tel: +49 30 555785-10 Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-0 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg _______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
