[winswitch] [ANNOUNCE] xpra-html5 v14: security issues and WebTransport
Antoine Martin
totaam at xpra.org
Sun Jul 7 07:05:12 BST 2024
Hi,
This major update to the HTML5 client fixes some security issues:
* the XSS is mostly theoretical for most use cases: any attacker able to
modify the desktop menu files could just as well edit the source of the
html5 client directly
* the "xor" digest issue is a much more serious one: the html5 client
was failing to identify insecure connections and would send passwords
unencrypted ("xor" hashed) if the authentication module requested it -
which is the case for "sys" (aka "win32" and "pam") modules. This is not
an issue if you are using https, AES or WebTransport modes.
The WebTransport network connector is a major new feature which allows
the html5 client to connect to the xpra server's QUIC UDP ports.
(this requires the unreleased xpra server version 6.1 which you can find
in the beta area)
Updating is strongly recommended.
For more details, please see:
https://github.com/Xpra-org/xpra-html5/releases/tag/v14
Cheers,
Antoine
More information about the shifter-users
mailing list