[X2Go-Dev] Windows X2Go Client: Windows XP & VcXsrv security vulnerabilities

Michael DePaulo mikedep333 at gmail.com
Wed Mar 19 04:40:19 CET 2014


Until now, I have been including VcXsrv 1.14.2.1 in the X2Go Client
Windows builds because it is the last version to support Windows XP.

However, it appears that there is 1, and possibly more, security
vulnerabilities in that version.
http://lists.x.org/archives/xorg-announce/2013-October/002332.html

Since security vulnerabilities are about to become an irresolvable
reality for Windows XP users, I propose that I split the X2Go Windows
builds up an XP version, and a version for all later versions of
Windows.

The XP build will use VcXsrv 1.14.2.1, and hopefully we can get the
VcXsrv project to provide security patches for it in the future.

The build for all later versions of Windows will use the latest
VcXsrv, unless a major regression is found in it.

At this time there is no x2goclient.git source code changes needed to
maintain the 2 X2Go Client Windows builds. Nor any nx-libs.git source
code changes. They will merely differ in terms of this one 3rd-party
dependency.

(I intend to do a better job of maintaining these dependencies on
x2goclient-contrib.git and integrate that git repo into the build
process. I would just add every 3rd-party binary file (mostly .DLL
files) to that git repo, but that resets the timestamps, and as a
SysAdmin I HATE it when timestamps get reset. I'll probably zip them
up to preserve the timestamps.)

If anyone here thinks I should just say "screw XP" after April 8th,
consider the fact that I am contributing my time to the Windows builds
and I am willing to maintain the XP builds for the foreseeable future.
I will probably maintain them until April 30th 2015 unless a large
technical obstacle comes up. I do not condone the use of Windows XP
past April 8th, but I believe that X2Go Client can be part of an
organization's solution to migrate away from Windows XP.

-Mike#2



More information about the x2go-dev mailing list