You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by mj...@apache.org on 2022/01/11 21:44:16 UTC

[guacamole-website] branch asf-site updated: Deploy announcement of vulnerabilities fixed in 1.4.0.

This is an automated email from the ASF dual-hosted git repository.

mjumper pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/guacamole-website.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 9325efc  Deploy announcement of vulnerabilities fixed in 1.4.0.
9325efc is described below

commit 9325efcc500f5480b3f823f0ce36849cad6da371
Author: Michael Jumper <mj...@apache.org>
AuthorDate: Tue Jan 11 13:43:39 2022 -0800

    Deploy announcement of vulnerabilities fixed in 1.4.0.
---
 content/security/index.html | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/content/security/index.html b/content/security/index.html
index a889590..6100bfc 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -426,6 +426,43 @@ discussing the issue in a public forum.</p>
 <p>No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses
 <a href="http://logback.qos.ch/">Logback</a> as its logging backend, not Log4j.</p>
 
+<h2 id="fixed-in-apache-guacamole-140">Fixed in Apache Guacamole 1.4.0</h2>
+<ul>
+    
+        <li>
+            <h3 id="CVE-2021-43999">
+                Improper validation of SAML responses
+                (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999">CVE-2021-43999</a>)
+            </h3>
+            <p>Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received
+from a SAML identity provider. If SAML support is enabled, this may allow a
+malicious user to assume the identity of another Guacamole user.</p>
+
+<p>Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting
+this issue.</p>
+
+
+        </li>
+    
+        <li>
+            <h3 id="CVE-2021-41767">
+                Private tunnel identifier may be included in the non-private details of active connections
+                (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767">CVE-2021-41767</a>)
+            </h3>
+            <p>Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel
+identifier in the non-private details of some REST responses. This may allow an
+authenticated user who already has permission to access a particular connection
+to read from or interact with another user’s active use of that same
+connection.</p>
+
+<p>Acknowledgements: We would like to thank Damian Velardo (Australia and New
+Zealand Banking Group) for reporting this issue.</p>
+
+
+        </li>
+    
+</ul>
+
 <h2 id="fixed-in-apache-guacamole-130">Fixed in Apache Guacamole 1.3.0</h2>
 <ul>