{"id":"MGASA-2021-0272","summary":"Updated guacd packages fix security vulnerabilities","details":"Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the\nuser's session token. This cookie lacked the \"secure\" flag, which could allow\nan attacker eavesdropping on the network to intercept the user's session token\nif unencrypted HTTP requests are made to the same domain (CVE-2018-1340).\n\nApache Guacamole 1.1.0 and older do not properly validate data received from\nRDP servers via static virtual channels. If a user connects to a malicious or\ncompromised RDP server, specially-crafted PDUs could result in disclosure of\ninformation within the memory of the guacd process handling the connection\n(CVE-2020-9497).\n\nApache Guacamole 1.1.0 and older may mishandle pointers involved in processing\ndata received via RDP static virtual channels. If a user connects to a malicious\nor compromised RDP server, a series of specially-crafted PDUs could result in\nmemory corruption, possibly allowing arbitrary code to be executed with the\nprivileges of the running guacd process (CVE-2020-9498).\n\nApache Guacamole 1.2.0 and older do not consistently restrict access to\nconnection history based on user visibility. If multiple users share access to\nthe same connection, those users may be able to see which other users have\naccessed that connection, as well as the IP addresses from which that connection\nwas accessed, even if those users do not otherwise have permission to see\nother users (CVE-2020-11997).\n\nThis is an update of guacd to latest version to fix security issues.\nWe also updated util-linux and ossp_uuid to make them co installable as\nguacd requires ossp_uuid.\n","modified":"2026-04-16T04:44:03.748973815Z","published":"2021-06-23T17:11:28Z","upstream":["CVE-2018-1340","CVE-2020-11997","CVE-2020-9497","CVE-2020-9498"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0272.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28158"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24509"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27593"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2021/01/18/1"}],"affected":[{"package":{"name":"guacd","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/guacd?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0272.json"}},{"package":{"name":"util-linux","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/util-linux?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.33.2-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0272.json"}},{"package":{"name":"ossp_uuid","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/ossp_uuid?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.2-21.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0272.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}