Debian Bug report logs -
#1015986
guacamole-client: CVE-2021-41767 CVE-2021-43999 CVE-2020-11997
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>:
Bug#1015986; Package src:guacamole-client.
(Sun, 24 Jul 2022 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>.
(Sun, 24 Jul 2022 19:03:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: guacamole-client
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for guacamole-client.
CVE-2021-41767[0]:
| Apache Guacamole 1.3.0 and older may incorrectly include a private
| tunnel identifier in the non-private details of some REST responses.
| This may allow an authenticated user who already has permission to
| access a particular connection to read from or interact with another
| user's active use of that same connection.
https://www.openwall.com/lists/oss-security/2022/01/11/6
CVE-2021-43999[1]:
| Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
| received from a SAML identity provider. If SAML support is enabled,
| this may allow a malicious user to assume the identity of another
| Guacamole user.
https://www.openwall.com/lists/oss-security/2022/01/11/7
CVE-2020-11997[2]:
| Apache Guacamole 1.2.0 and earlier do not consistently restrict access
| to connection history based on user visibility. If multiple users
| share access to the same connection, those users may be able to see
| which other users have accessed that connection, as well as the IP
| addresses from which that connection was accessed, even if those users
| do not otherwise have permission to see other users.
https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3Cannounce.guacamole.apache.org%3E
https://issues.apache.org/jira/browse/GUACAMOLE-1123
https://github.com/apache/guacamole-client/pulls?q=is%3Apr+guacamole-1123+is%3Aclosed
https://github.com/glyptodon/guacamole-client/pull/453
https://enterprise.glyptodon.com/doc/latest/cve-2020-11997-inconsistent-restriction-of-connection-history-visibility-31424710.html
https://enterprise.glyptodon.com/doc/1.x/changelog-950368.html#id-.Changelogv1.x-1.14
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767
[1] https://security-tracker.debian.org/tracker/CVE-2021-43999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999
[2] https://security-tracker.debian.org/tracker/CVE-2020-11997
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997
Please adjust the affected versions in the BTS as needed.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jul 25 13:16:44 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon