This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
security:cve-announcements:heartbleed [2014/05/05 13:02] mikedep333 created |
security:cve-announcements:heartbleed [2015/07/09 23:41] mikedep333 [Announcement]: Remove "will be posted to the x2go-announcements list" |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== X2Go Announcement on Heartbleed (CVE-2014-0160)====== | + | ====== X2Go Announcement on Heartbleed (CVE-2014-0160) ====== |
- | ===== Announcement | + | ===== Announcement ===== |
The following is the X2Go project' | The following is the X2Go project' | ||
Line 6: | Line 6: | ||
take. | take. | ||
- | 1. When X2Go (both X2Go Client and X2Go Server) | + | 1. When X2Go (both X2Go Client and X2Go Server) |
X2Go Session Broker, X2Go is not vulnerable. | X2Go Session Broker, X2Go is not vulnerable. | ||
+ | |||
If you do use X2Go without a session broker, no action is required in | If you do use X2Go without a session broker, no action is required in | ||
terms of X2Go. | terms of X2Go. | ||
+ | |||
We still strongly advise you to install your Linux distro' | We still strongly advise you to install your Linux distro' | ||
+ | |||
We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go | We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go | ||
client for Mac OS X to 4.0.2.0, in order to avoid vulnerability | client for Mac OS X to 4.0.2.0, in order to avoid vulnerability | ||
Line 17: | Line 20: | ||
2. When X2Go is used with an X2Go Session Broker, these X2Go | 2. When X2Go is used with an X2Go Session Broker, these X2Go | ||
components are vulnerable if the following conditions are met: | components are vulnerable if the following conditions are met: | ||
+ | |||
a. X2Go Session Broker: If the Linux distro uses OpenSSL 1.0.1, the | a. X2Go Session Broker: If the Linux distro uses OpenSSL 1.0.1, the | ||
Linux distro' | Linux distro' | ||
Line 23: | Line 27: | ||
apache configuration. If you are using x2gobroker-daemon, | apache configuration. If you are using x2gobroker-daemon, | ||
enabled in / | enabled in / | ||
+ | |||
b. X2Go Client for Linux: If the Linux distro uses OpenSSL 1.0.1, the | b. X2Go Client for Linux: If the Linux distro uses OpenSSL 1.0.1, the | ||
Linux distro' | Linux distro' | ||
to connect to an X2Go Session broker. | to connect to an X2Go Session broker. | ||
+ | |||
c. X2Go Client for Windows: If X2Go Client is at version | c. X2Go Client for Windows: If X2Go Client is at version | ||
4.0.1.3+build2, | 4.0.1.3+build2, | ||
Broker. | Broker. | ||
+ | |||
d. X2Go Client for Mac OS X: If X2Go Client is at version 4.0.1.3 or | d. X2Go Client for Mac OS X: If X2Go Client is at version 4.0.1.3 or | ||
earlier, and HTTPS is used to connect to the X2Go Session Broker. | earlier, and HTTPS is used to connect to the X2Go Session Broker. | ||
+ | |||
e. PyHoca-GUI for Linux: If you are using a nightly build since | e. PyHoca-GUI for Linux: If you are using a nightly build since | ||
2014-03-18 (when broker support was 1st added,), the Linux distro | 2014-03-18 (when broker support was 1st added,), the Linux distro | ||
uses OpenSSL 1.0.1, the Linux distro' | uses OpenSSL 1.0.1, the Linux distro' | ||
installed, HTTPS is used to connect to an X2Go Session broker. | installed, HTTPS is used to connect to an X2Go Session broker. | ||
+ | |||
f. PyHoca-CLI for Linux: If you are using a nightly build since | f. PyHoca-CLI for Linux: If you are using a nightly build since | ||
2014-03-03 (when broker support was 1st added,) the Linux distro uses | 2014-03-03 (when broker support was 1st added,) the Linux distro uses | ||
Line 48: | Line 57: | ||
X2Go Session Broker: | X2Go Session Broker: | ||
+ | |||
a. Install your Linux distro' | a. Install your Linux distro' | ||
you haven' | you haven' | ||
+ | |||
b. Replace the SSL certificate used by X2Go Session Broker. Consult | b. Replace the SSL certificate used by X2Go Session Broker. Consult | ||
your Linux distro' | your Linux distro' | ||
Line 57: | Line 68: | ||
If you are using x2gobroker-daemon, | If you are using x2gobroker-daemon, | ||
specified in / | specified in / | ||
+ | |||
c. Reset the passwords for any user accounts that have been used with | c. Reset the passwords for any user accounts that have been used with | ||
an X2Go Session Broker before the patch was installed. | an X2Go Session Broker before the patch was installed. | ||
- | X2Go Server (follow these instructions if X2Go session broker | + | d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: |
+ | <code bash> | ||
+ | sudo x2gobroker-keygen | ||
+ | </ | ||
+ | (To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker' | ||
+ | |||
+ | X2Go Server (follow these instructions if X2Go Session Broker | ||
a. Reset the passwords for any user accounts that have been used with | a. Reset the passwords for any user accounts that have been used with | ||
an X2Go Session Broker before the patch was installed. | an X2Go Session Broker before the patch was installed. | ||
+ | |||
+ | b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key: | ||
+ | <code bash> | ||
+ | sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://< | ||
+ | </ | ||
X2Go Client: | X2Go Client: | ||
+ | |||
a. Patch X2Go Client, if you haven' | a. Patch X2Go Client, if you haven' | ||
On Linux, install your Linux Distro' | On Linux, install your Linux Distro' | ||
Line 71: | Line 96: | ||
http:// | http:// | ||
On Mac OS X: update X2Go Client to 4.0.2.0. | On Mac OS X: update X2Go Client to 4.0.2.0. | ||
+ | |||
b. Replace all SSH private key / public key pairs that are used by | b. Replace all SSH private key / public key pairs that are used by | ||
X2Go Client to connect to an X2Go Session Broker, or to connect to an | X2Go Client to connect to an X2Go Session Broker, or to connect to an | ||
Line 81: | Line 107: | ||
PyHoca-GUI & PyHoca-CLI | PyHoca-GUI & PyHoca-CLI | ||
+ | |||
a. Patch PyHoca-GUI/ | a. Patch PyHoca-GUI/ | ||
for OpenSSL (CVE-2014-0160). | for OpenSSL (CVE-2014-0160). | ||
+ | |||
b. Replace all SSH private key / public key pairs that are used by | b. Replace all SSH private key / public key pairs that are used by | ||
PyHoca-GUI/ | PyHoca-GUI/ | ||
Line 94: | Line 122: | ||
Fore the full technical details on why the X2Go Project is making these | Fore the full technical details on why the X2Go Project is making these | ||
recommendations, | recommendations, | ||
+ | |||
http:// | http:// | ||
Line 126: | Line 155: | ||
5. The X2Go session broker and the X2Go Session Broker Agents (running | 5. The X2Go session broker and the X2Go Session Broker Agents (running | ||
on the X2Go Servers) communicate with eachother via SSH connections | on the X2Go Servers) communicate with eachother via SSH connections | ||
- | using the paramiko library for SSH. Therefore, the X2Go Session | + | using the paramiko library for SSH. Therefore, the X2Go Session |
- | agent is not affected, and X2Go Session broker is not affected in | + | Agent is not affected, and X2Go Session broker is not affected in |
terms of communicating with the X2Go Session Broker Agents (the X2Go | terms of communicating with the X2Go Session Broker Agents (the X2Go | ||
- | Servers.) | + | Servers.) |
6. The X2Go session broker can be accessed by an X2Go Client over | 6. The X2Go session broker can be accessed by an X2Go Client over |