3
I Use This!
Activity Not Available

News

Analyzed about 1 month ago. based on code collected about 1 month ago.
Posted almost 7 years ago by Michael Jumper
The Apache Guacamole community is proud to announce the release of Apache Guacamole 0.9.12-incubating. Apache Guacamole (incubating) is a clientless remote desktop gateway which supports standard protocols like VNC, RDP, and SSH. We call it ... [More] "clientless" because no plugins or client software are required; once Guacamole is installed on a server, all you need to access your desktops is a web browser. The 0.9.12-incubating release features auto-updating connection thumbnails for tab icons, performance improvements, and fixes for issues with printing, file transfer, and terminal emulation. New support for authenticating users based on arbitrary HTTP headers has also been added, allowing the authentication result of external systems sitting between the user and Guacamole to be trusted (as long as those headers can be truly guaranteed to come only from those trusted systems). A full list of the changes in this release, along with links to downloads and updated documentation, can be found in the release notes: http://guacamole.incubator.apache.org/releases/0.9.12-incubating/ For more information on Apache Guacamole, please see: http://guacamole.incubator.apache.org/ Thanks! The Apache Guacamole (incubating) Community DISCLAIMER: Apache Guacamole is an effort undergoing Incubation at The Apache Software Foundation (ASF), sponsored by the Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. [Less]
Posted about 7 years ago by Michael Jumper
The Apache Guacamole community is proud to announce the release of Apache Guacamole 0.9.11-incubating. Apache Guacamole (incubating) is a clientless remote desktop gateway which supports standard protocols like VNC, RDP, and SSH. We call it ... [More] "clientless" because no plugins or client software are required; once Guacamole is installed on a server, all you need to access your desktops is a web browser. 0.9.11-incubating features support for two-factor authentication, password policies, improvements to LDAP support, and support for arbitrary/custom extensions within the Docker images. A full list of the changes in this release, along with links to downloads and updated documentation, can be found in the release notes: http://guacamole.incubator.apache.org/releases/0.9.11-incubating/ For more information on Apache Guacamole, please see: http://guacamole.incubator.apache.org/ Thanks! The Apache Guacamole (incubating) Community DISCLAIMER: Apache Guacamole is an effort undergoing Incubation at The Apache Software Foundation (ASF), sponsored by the Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. [Less]
Posted about 7 years ago by Michael Jumper
The Apache Guacamole community is proud to announce the release of Apache Guacamole 0.9.10-incubating. Apache Guacamole (incubating) is a clientless remote desktop gateway which supports standard protocols like VNC, RDP, and SSH. We call it ... [More] "clientless" because no plugins or client software are required; once Guacamole is installed on a server, all you need to access your desktops is a web browser. 0.9.10-incubating is our first release under the Apache Incubator. It features support for both screen sharing and recording, improved file transfer behavior, and support for LDAP within the Docker images. Local clipboard integration has also been added (for those browsers which support it), as well as audio input for RDP, theming/branding via extensions, and several other improvements. A full list of the changes in this release, along with links to downloads and updated documentation, can be found in the release notes: http://guacamole.incubator.apache.org/releases/0.9.10-incubating/ For more information on Apache Guacamole, please see: http://guacamole.incubator.apache.org/ Thanks! The Apache Guacamole (incubating) Community DISCLAIMER: Apache Guacamole is an effort undergoing Incubation at The Apache Software Foundation (ASF), sponsored by the Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. [Less]
Posted almost 8 years ago by Michael Jumper
Hello all, I'm pleased to report that Guacamole has been accepted into the Apache Incubator, and is thus now Apache Guacamole (incubating). It is not an Apache top-level project, but that is the ultimate goal. All Apache projects must start in the ... [More] Incubator. The new project website can now be found here: http://guacamole.incubator.apache.org/ We believe this will only serve to help the Guacamole community of users and developers grow (and we're pretty excited about the whole thing). To any who might be concerned of what this all actually means in practical terms, the following are the primary differences: The new project mailing lists should be used instead of these forums! The project is known as Apache Guacamole and has been properly assigned via a software grant to the Apache Software Foundation. To properly note that the project is in the Incubator and is not yet endorsed by the ASF, you will see it referred to as "Apache Guacamole (incubating)". The project is now inder the Apache License, Version 2.0. This is not retroactive, so old versions of the source continue to be MIT, but going forward all things are Apache licensed. The git repositories have been renamed and moved (incubator-guacamole-server, incubator-guacamole-client, incubator-guacamole-manual). The Java packages and Maven IDs are now "org.apache.guacamole", not "org.glyptodon.guacamole". While we are incubating, released versions will have a "-incubating" suffix. This affects future releases, not past releases. The project JIRA has moved to https://issues.apache.org/jira/browse/GUACAMOLE/ Overall, this is nothing but good news and good things. We're extremely happy to have grown this far. Come join us on the mailing lists! Thanks, Mike [Less]
Posted about 8 years ago by Michael Jumper
Security Advisory - Stored XSS (CVE-2016-1566 / GUAC-1465) Since version 0.9.8, Guacamole has provided access to files via a file browser located in the Guacamole menu. If file transfer is enabled on a remote desktop connection, this file browser ... [More] displays a navigable hierarchy of files to which the user has access. A cross-site scripting (XSS) vulnerability was discovered and reported by Niv Levy through which files with specially-crafted names could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users. Administrators providing access to Guacamole 0.9.8 or 0.9.9 are encouraged to update to the patched versions of Guacamole 0.9.8 and 0.9.9 provided below. Vulnerability: Stored XSS Versions: 0.9.8, 0.9.9 Severity: 2.7 (LOW) (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C) Vulnerability Description The filenames within Guacamole's file browser are improperly filtered. HTML included in filenames will be interpreted by the browser, possibly leading to script execution. A malicious script would have the same level of access as the compromised Guacamole user. Interpretation of HTML and execution of the script would occur upon the user browsing to the maliciously-named file within the menu. Am I affected? You are affected if you host Guacamole 0.9.8 or 0.9.9 and all of the following are true: One or more users may upload or create files in a shared location. Filenames containing angle brackets are allowed in that shared location. File transfer is enabled to that shared location for at least one Guacamole user. What should I do? Guacamole 0.9.8 and 0.9.9 have both been patched as of January 13th, 2016. Administrators that previously installed version 0.9.8 or 0.9.9 are encouraged to download the updated guacamole.war file when possible, even if you believe you are not affected. Only guacamole.war needs to be updated. File MD5 SHA1 guacamole-0.9.8.war bd1f40b4431060573e78ea3e99eea246 c3f6c30c8f749ed690c7321013999e23425ecf68 guacamole-0.9.9.war 324c17aa305a077a2127378a2d0a7a51 0ba2ff114ac4221794b148ab0e83370dbc6259c5 The official Guacamole Docker images have been updated appropriately. If using Guacamole under Docker, pulling a fresh image of the desired version will resolve the vulnerability. If you have made your own or vendor-specific modifications to the Guacamole web application, you should manually apply the changes made in commit 7da1312 if you used Guacamole 0.9.8 or 0.9.9 as the basis for your changes. What if I cannot update Guacamole right now? Both affected versions of Guacamole have been patched, so no upgrade is necessary - the guacamole.war file needs to be replaced with the patched copy of the same version. Administrators that are unable or unwilling to replace their guacamole.war should ensure that users with file transfer access can only access their own files, and should disable file transfer for any VNC, RDP, or SSH connections where file access is not isolated on a per-user basis. [Less]
Posted about 8 years ago by Michael Jumper
Security Advisory - Stored XSS (CVE-2016-1566 / GUAC-1465) Since version 0.9.8, Guacamole has provided access to files via a file browser located in the Guacamole menu. If file transfer is enabled on a remote desktop connection, this file browser ... [More] displays a navigable hierarchy of files to which the user has access. A cross-site scripting (XSS) vulnerability was discovered and reported by Niv Levy through which files with specially-crafted names could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users. Administrators providing access to Guacamole 0.9.8 or 0.9.9 are encouraged to update to the patched versions of Guacamole 0.9.8 and 0.9.9 provided below. Vulnerability: Stored XSS Versions: 0.9.8, 0.9.9 Severity: 2.7 (LOW) (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C) Vulnerability Description The filenames within Guacamole's file browser are improperly filtered. HTML included in filenames will be interpreted by the browser, possibly leading to script execution. A malicious script would have the same level of access as the compromised Guacamole user. Interpretation of HTML and execution of the script would occur upon the user browsing to the maliciously-named file within the menu. Am I affected? You are affected if you host Guacamole 0.9.8 or 0.9.9 and all of the following are true: One or more users may upload or create files in a shared location. Filenames containing angle brackets are allowed in that shared location. File transfer is enabled to that shared location for at least one Guacamole user. What should I do? Guacamole 0.9.8 and 0.9.9 have both been patched as of January 13th, 2016. Administrators that previously installed version 0.9.8 or 0.9.9 are encouraged to download the updated guacamole.war file when possible, even if you believe you are not affected. Only guacamole.war needs to be updated. File MD5 SHA1 guacamole-0.9.8.war bd1f40b4431060573e78ea3e99eea246 c3f6c30c8f749ed690c7321013999e23425ecf68 guacamole-0.9.9.war 324c17aa305a077a2127378a2d0a7a51 0ba2ff114ac4221794b148ab0e83370dbc6259c5 The official Guacamole Docker images have been updated appropriately. If using Guacamole under Docker, pulling a fresh image of the desired version will resolve the vulnerability. If you have made your own or vendor-specific modifications to the Guacamole web application, you should manually apply the changes made in commit 7da1312 if you used Guacamole 0.9.8 or 0.9.9 as the basis for your changes. What if I cannot update Guacamole right now? Both affected versions of Guacamole have been patched, so no upgrade is necessary - the guacamole.war file needs to be replaced with the patched copy of the same version. Administrators that are unable or unwilling to replace their guacamole.war should ensure that users with file transfer access can only access their own files, and should disable file transfer for any VNC, RDP, or SSH connections where file access is not isolated on a per-user basis. [Less]
Posted about 8 years ago by Michael Jumper
The updated version (with GUAC-1471 fixed) would have the following checksums: File MD5 SHA1 guacamole-server-0.9.9.tar.gz cce818bfcba35fe0456b45d988118893 a1ab3bf1e39291e318182b85055587fd98b39de1 If either of the above checksums match the archive you downloaded, then you have the correct version, and do not need to re-download.
Posted about 8 years ago by Michael Jumper
The updated version (with GUAC-1471 fixed) would have the following checksums: File MD5 SHA1 guacamole-server-0.9.9.tar.gz cce818bfcba35fe0456b45d988118893 a1ab3bf1e39291e318182b85055587fd98b39de1 If either of the above checksums match the archive you downloaded, then you have the correct version, and do not need to re-download.
Posted about 8 years ago by Mark Cheavens
This was posted 3 days ago, about the same time as I did a new install. How can I tell which version of 0.9.9 I have? Mark
Posted about 8 years ago by Mark Cheavens
This was posted 3 days ago, about the same time as I did a new install. How can I tell which version of 0.9.9 I have? Mark