User Tools

Site Tools


security:cve-announcements:heartbleed

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security:cve-announcements:heartbleed [2014/05/08 00:25]
mikedep333 Update instructions for replacing X2Go Session Broker SSH key used to communicate with agents
security:cve-announcements:heartbleed [2015/07/09 23:41]
mikedep333 [Announcement]: Remove "will be posted to the x2go-announcements list"
Line 1: Line 1:
-====== X2Go Announcement on Heartbleed (CVE-2014-0160)====== +====== X2Go Announcement on Heartbleed (CVE-2014-0160) ====== 
-===== Announcement (will be posted to the x2go-announcement list) =====+===== Announcement =====
  
 The following is the X2Go project's announcement on heartbleed The following is the X2Go project's announcement on heartbleed
Line 6: Line 6:
 take. take.
  
-1. When X2Go (both X2Go Client and X2Go Server) are used without an+1. When X2Go (both X2Go Client and X2Go Server) is used without an
 X2Go Session Broker, X2Go is not vulnerable. X2Go Session Broker, X2Go is not vulnerable.
 +
 If you do use X2Go without a session broker, no action is required in If you do use X2Go without a session broker, no action is required in
 terms of X2Go. terms of X2Go.
 +
 We still strongly advise you to install your Linux distro's patch for OpenSSL. We still strongly advise you to install your Linux distro's patch for OpenSSL.
 +
 We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go
 client for Mac OS X to 4.0.2.0, in order to avoid vulnerability client for Mac OS X to 4.0.2.0, in order to avoid vulnerability
Line 70: Line 73:
  
 d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents:
 +<code bash>
 sudo x2gobroker-keygen sudo x2gobroker-keygen
-(To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with X2Go Session Broker Agents is in the broker's memory. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker's memory, so it does not need to be replaced.) +</code> 
 +(To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker's memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker's memory, so it does not need to be replaced.) 
  
 X2Go Server (follow these instructions if X2Go Session Broker was vulnerable): X2Go Server (follow these instructions if X2Go Session Broker was vulnerable):
Line 79: Line 84:
  
 b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key: b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key:
 +<code bash>
 sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<broker-server>:<port>/<basepatch>/pubkeys/ sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<broker-server>:<port>/<basepatch>/pubkeys/
 +</code>
  
 X2Go Client: X2Go Client:
security/cve-announcements/heartbleed.txt · Last modified: 2015/07/09 23:41 by mikedep333