You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@guacamole.apache.org by vn...@apache.org on 2018/01/08 19:53:14 UTC

[1/6] guacamole-website git commit: Add "Security Reports" page which lists vulnerabilities fixed in Apache Guacamole releases.

Repository: guacamole-website
Updated Branches:
  refs/heads/master 9c8a79225 -> a4ac5af9e


Add "Security Reports" page which lists vulnerabilities fixed in Apache Guacamole releases.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/bd823d25
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/bd823d25
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/bd823d25

Branch: refs/heads/master
Commit: bd823d25fb4e6d973f9d2a45e6379994d9e49938
Parents: 9c8a792
Author: Michael Jumper <mj...@apache.org>
Authored: Sat Jan 6 16:12:22 2018 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Sat Jan 6 16:12:22 2018 -0800

----------------------------------------------------------------------
 _config.yml        |  4 ++++
 _links/security.md |  4 ++--
 security.md        | 43 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/bd823d25/_config.yml
----------------------------------------------------------------------
diff --git a/_config.yml b/_config.yml
index 9aff937..5ee228d 100644
--- a/_config.yml
+++ b/_config.yml
@@ -50,6 +50,10 @@ collections:
     companies:
         output: false
 
+    # Public security vulnerabilities
+    security:
+        output: false
+
 # Site-wide defaults
 defaults:
 

http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/bd823d25/_links/security.md
----------------------------------------------------------------------
diff --git a/_links/security.md b/_links/security.md
index 6ddef85..764e3b6 100644
--- a/_links/security.md
+++ b/_links/security.md
@@ -1,5 +1,5 @@
 ---
-menu-title:  Security
+menu-title:  Security Reports
 menu-weight: 4
-location:    http://www.apache.org/security/
+location:    /security/
 ---

http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/bd823d25/security.md
----------------------------------------------------------------------
diff --git a/security.md b/security.md
new file mode 100644
index 0000000..9bf1ff0
--- /dev/null
+++ b/security.md
@@ -0,0 +1,43 @@
+---
+layout: page 
+title: Security Reports
+permalink: /security/
+---
+
+This page lists all security vulnerabilities fixed in released versions of
+Apache Guacamole. Each vulnerability is listed with a description of the
+problem, its associated [CVE
+number](https://cve.mitre.org/about/faqs.html#what_is_cve_id), and the
+Guacamole release in which the vulnerability was fixed.
+
+Reporting new vulnerabilities
+-----------------------------
+
+If you believe you have discovered a security problem in Apache Guacamole,
+please follow [responsible
+disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) practices and
+report discovered security issues privately, either to the private security
+mailing list of the [ASF Security Team](https://www.apache.org/security/) or
+the <pr...@guacamole.apache.org> mailing list, before disclosing or
+discussing the issue in a public forum.
+
+{% assign releases = site.security | group_by: 'fixed' %}
+{% for release in releases %}
+
+Fixed in Apache Guacamole {{ release.name }}
+--------------------------------------------
+
+<ul>
+    {% assign reports = release.items | sort: 'title' %}
+    {% for report in reports %}
+    <li>
+        <h3 id="{{ report.cve }}">
+            {{ report.title }}
+            (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name={{ report.cve | url_encode }}">{{ report.cve }}</a>)
+        </h3>
+        {{ report.content }}
+    </li>
+    {% endfor %}
+</ul>
+{% endfor %}
+

[5/6] guacamole-website git commit: Use different header for releases made prior to the move to Apache.

Posted by vn...@apache.org.

Use different header for releases made prior to the move to Apache.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/941a6bfc
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/941a6bfc
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/941a6bfc

Branch: refs/heads/master
Commit: 941a6bfc704c4129d242e6ab8865f6c84d91a0ee
Parents: 8f95738
Author: Michael Jumper <mj...@apache.org>
Authored: Mon Jan 8 11:28:49 2018 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Mon Jan 8 11:28:49 2018 -0800

----------------------------------------------------------------------
 security.md | 6 ++++++
 1 file changed, 6 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/941a6bfc/security.md
----------------------------------------------------------------------
diff --git a/security.md b/security.md
index c85b78a..701288d 100644
--- a/security.md
+++ b/security.md
@@ -24,8 +24,14 @@ discussing the issue in a public forum.
 {% assign releases = site.security | group_by: 'fixed' %}
 {% for release in releases reversed %}
 
+{% assign asfrelease = site.releases | where: 'title', release.name %}
+{% if asfrelease != empty %}
 Fixed in Apache Guacamole {{ release.name }}
 --------------------------------------------
+{% else %}
+Fixed in Guacamole {{ release.name }} (pre-Apache release)
+----------------------------------------------------------
+{% endif %}
 
 <ul>
     {% assign reports = release.items | sort: 'title' %}

[2/6] guacamole-website git commit: Document vulnerability CVE-2017-3158, fixed in 0.9.11-incubating.

Posted by vn...@apache.org.

Document vulnerability CVE-2017-3158, fixed in 0.9.11-incubating.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/172a5c32
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/172a5c32
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/172a5c32

Branch: refs/heads/master
Commit: 172a5c32896f56dac0576983cc44046e220f2f7a
Parents: bd823d2
Author: Michael Jumper <mj...@apache.org>
Authored: Sat Jan 6 16:12:48 2018 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jan 7 19:28:58 2018 -0800

----------------------------------------------------------------------
 _security/CVE-2017-3158.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/172a5c32/_security/CVE-2017-3158.md
----------------------------------------------------------------------
diff --git a/_security/CVE-2017-3158.md b/_security/CVE-2017-3158.md
new file mode 100644
index 0000000..5f28bdb
--- /dev/null
+++ b/_security/CVE-2017-3158.md
@@ -0,0 +1,13 @@
+---
+title: Buffer overflow in SSH/telnet terminal emulator
+cve:   CVE-2017-3158
+fixed: 0.9.11-incubating
+---
+
+A race condition in Guacamole's terminal emulator could allow writes of blocks
+of printed data to overlap. Such overlapping writes could cause packet data to
+be misread as the packet length, resulting in the remaining data being written
+beyond the end of a statically-allocated buffer.
+
+Acknowledgements: We would like to thank Hariprasad Ng for reporting this
+issue.

[6/6] guacamole-website git commit: Merge add "Security Reports" page listing the vulnerabilities fixed in particular Guacamole releases.

Posted by vn...@apache.org.

Merge add "Security Reports" page listing the vulnerabilities fixed in particular Guacamole releases.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/a4ac5af9
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/a4ac5af9
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/a4ac5af9

Branch: refs/heads/master
Commit: a4ac5af9ec32705e0945b5eec83d1b2850ded0fb
Parents: 9c8a792 941a6bf
Author: Nick Couchman <vn...@apache.org>
Authored: Mon Jan 8 14:52:27 2018 -0500
Committer: Nick Couchman <vn...@apache.org>
Committed: Mon Jan 8 14:52:27 2018 -0500

----------------------------------------------------------------------
 _config.yml                |  4 ++++
 _links/security.md         |  4 ++--
 _security/CVE-2012-4415.md | 14 ++++++++++++
 _security/CVE-2016-1566.md | 14 ++++++++++++
 _security/CVE-2017-3158.md | 13 +++++++++++
 security.md                | 49 +++++++++++++++++++++++++++++++++++++++++
 6 files changed, 96 insertions(+), 2 deletions(-)
----------------------------------------------------------------------

[4/6] guacamole-website git commit: Reverse sort order of releases.

Posted by vn...@apache.org.

Reverse sort order of releases.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/8f957388
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/8f957388
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/8f957388

Branch: refs/heads/master
Commit: 8f95738837976a78c7006504e0181a708f525d50
Parents: 856c62b
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jan 7 19:43:00 2018 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jan 7 19:43:00 2018 -0800

----------------------------------------------------------------------
 security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/8f957388/security.md
----------------------------------------------------------------------
diff --git a/security.md b/security.md
index 9bf1ff0..c85b78a 100644
--- a/security.md
+++ b/security.md
@@ -22,7 +22,7 @@ the <pr...@guacamole.apache.org> mailing list, before disclosing or
 discussing the issue in a public forum.
 
 {% assign releases = site.security | group_by: 'fixed' %}
-{% for release in releases %}
+{% for release in releases reversed %}
 
 Fixed in Apache Guacamole {{ release.name }}
 --------------------------------------------

[3/6] guacamole-website git commit: Document vulnerabilities fixed prior to Guacamole's move to the ASF.

Posted by vn...@apache.org.

Document vulnerabilities fixed prior to Guacamole's move to the ASF.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-website/commit/856c62b2
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-website/tree/856c62b2
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-website/diff/856c62b2

Branch: refs/heads/master
Commit: 856c62b20bfb742627dc898140f6781e81842c05
Parents: 172a5c3
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jan 7 19:39:34 2018 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jan 7 19:42:51 2018 -0800

----------------------------------------------------------------------
 _security/CVE-2012-4415.md | 14 ++++++++++++++
 _security/CVE-2016-1566.md | 14 ++++++++++++++
 2 files changed, 28 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/856c62b2/_security/CVE-2012-4415.md
----------------------------------------------------------------------
diff --git a/_security/CVE-2012-4415.md b/_security/CVE-2012-4415.md
new file mode 100644
index 0000000..3e33a57
--- /dev/null
+++ b/_security/CVE-2012-4415.md
@@ -0,0 +1,14 @@
+---
+title: Buffer overflow in guac_client_plugin_open()
+cve:   CVE-2012-4415
+fixed: 0.6.3
+---
+
+A stack-based buffer overflow vulnerability was discovered in the
+`guac_client_plugin_open()` function in libguac in Guacamole before 0.6.3
+which could allow remote attackers to cause a denial of service (crash) or
+execute arbitrary code via a long protocol name.
+
+Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting
+this issue.
+

http://git-wip-us.apache.org/repos/asf/guacamole-website/blob/856c62b2/_security/CVE-2016-1566.md
----------------------------------------------------------------------
diff --git a/_security/CVE-2016-1566.md b/_security/CVE-2016-1566.md
new file mode 100644
index 0000000..9328ee1
--- /dev/null
+++ b/_security/CVE-2016-1566.md
@@ -0,0 +1,14 @@
+---
+title: Stored cross-site scripting (XSS) in file browser
+cve:   CVE-2016-1566
+fixed: 0.9.9
+---
+
+A cross-site scripting (XSS) vulnerability was discovered through which files
+with specially-crafted filenames could lead to JavaScript execution if file
+transfer is enabled to a location which is shared by multiple users, and the
+filename is displayed within the file browser located within the Guacamole
+menu.
+
+Acknowledgements: We would like to thank Niv Levy for reporting this issue.
+