Re: CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie

[Mike Jumper <mjumper () apache org>]

On Fri, Feb 1, 2019, 04:27 Salvatore Bonaccorso <carnil () debian org wrote:

> Hi Mike,
>
> On Wed, Jan 23, 2019 at 02:21:30PM -0800, Mike Jumper wrote:
> > CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
> >
> > Versions affected:
> > Apache Guacamole 0.9.4 through 0.9.14
> >
> > Description:
> > Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
> > of the user's session token. This cookie lacked the "secure" flag,
> > which could allow an attacker eavesdropping on the network to
> > intercept the user's session token if unencrypted HTTP requests are
> > made to the same domain.
> >
> > Mitigation:
> > Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.
> >
> > Credit:
> > We would like to thank Ross Golder for reporting this issue.
>
> Would it be possible to confirm, is this
> https://issues.apache.org/jira/browse/GUACAMOLE-549
> https://github.com/apache/guacamole-client/commit/884a9c0ee987f9cb49a69
> ?

That is the correct JIRA issue, yes, however there are multiple relevant
commits.

With respect to the security aspect of the changes, the relevant pull
request is:

https://github.com/apache/guacamole-client/pull/273

There are other relevant pull requests, though they deal mainly with
eliminating cookies entirely:

https://github.com/apache/guacamole-client/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aclosed+GUACAMOLE-549

- Mike