X2Go - everywhere@home

User Tools

Site Tools

Trace:
security:cve-announcements:heartbleed

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
security:cve-announcements:heartbleed [2014/05/08 00:25]
mikedep333 Update instructions for replacing X2Go Session Broker SSH key used to communicate with agents 		security:cve-announcements:heartbleed [2014/05/08 00:41]
mikedep333 grammar typo
Line 1: Line 1:
-====== X2Go Announcement on Heartbleed (CVE-2014-0160)======+====== X2Go Announcement on Heartbleed (CVE-2014-0160) ======
 ===== Announcement (will be posted to the x2go-announcement list) ===== ===== Announcement (will be posted to the x2go-announcement list) =====
  
Line 6: Line 6:
 take. take.
  
-1. When X2Go (both X2Go Client and X2Go Server) are used without an+1. When X2Go (both X2Go Client and X2Go Server) is used without an
 X2Go Session Broker, X2Go is not vulnerable. X2Go Session Broker, X2Go is not vulnerable.
 +
 If you do use X2Go without a session broker, no action is required in If you do use X2Go without a session broker, no action is required in
 terms of X2Go. terms of X2Go.
 +
 We still strongly advise you to install your Linux distro's patch for OpenSSL. We still strongly advise you to install your Linux distro's patch for OpenSSL.
 +
 We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go
 client for Mac OS X to 4.0.2.0, in order to avoid vulnerability client for Mac OS X to 4.0.2.0, in order to avoid vulnerability
Line 71: Line 74:
 d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents:
 sudo x2gobroker-keygen sudo x2gobroker-keygen
-(To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with X2Go Session Broker Agents is in the broker's memory. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker's memory, so it does not need to be replaced.) +(To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker's memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker's memory, so it does not need to be replaced.) 
  
 X2Go Server (follow these instructions if X2Go Session Broker was vulnerable): X2Go Server (follow these instructions if X2Go Session Broker was vulnerable):
security/cve-announcements/heartbleed.txt ยท Last modified: 2015/07/09 23:41 by mikedep333

Page Tools

Imprint & Legal Disclaimer - Data Protection & Privacy Statement
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki