User Tools

Site Tools


security:cve-announcements:heartbleed

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security:cve-announcements:heartbleed [2014/05/08 00:40]
mikedep333 Additional newlines at the beginning
security:cve-announcements:heartbleed [2015/07/09 23:41] (current)
mikedep333 [Announcement]: Remove "will be posted to the x2go-announcements list"
Line 1: Line 1:
 ====== X2Go Announcement on Heartbleed (CVE-2014-0160) ====== ====== X2Go Announcement on Heartbleed (CVE-2014-0160) ======
-===== Announcement ​(will be posted to the x2go-announcement list) =====+===== Announcement =====
  
 The following is the X2Go project'​s announcement on heartbleed The following is the X2Go project'​s announcement on heartbleed
Line 6: Line 6:
 take. take.
  
-1. When X2Go (both X2Go Client and X2Go Server) ​are used without an+1. When X2Go (both X2Go Client and X2Go Server) ​is used without an
 X2Go Session Broker, X2Go is not vulnerable. X2Go Session Broker, X2Go is not vulnerable.
  
Line 73: Line 73:
  
 d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents:
 +<code bash>
 sudo x2gobroker-keygen sudo x2gobroker-keygen
 +</​code>​
 (To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker'​s memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker'​s memory, so it does not need to be replaced.) ​ (To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker'​s memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker'​s memory, so it does not need to be replaced.) ​
  
Line 82: Line 84:
  
 b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key: b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key:
 +<code bash>
 sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<​broker-server>:<​port>/<​basepatch>/​pubkeys/​ sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<​broker-server>:<​port>/<​basepatch>/​pubkeys/​
 +</​code>​
  
 X2Go Client: X2Go Client:
security/cve-announcements/heartbleed.1399509620.txt.gz ยท Last modified: 2014/05/08 00:40 by mikedep333