[X2Go-Dev] Dang Nabbit, OpenSSL 2014-10-15 vulns and X2Go Client for Windows
Michael DePaulo
mikedep333 at gmail.com
Fri Oct 17 01:49:16 CEST 2014
So more OpenSSL vulnerabilities were announced yesterday:
https://www.openssl.org/news/secadv_20141015.txt
And OpenSSL 1.0.1j was released.
My normal process would be "Update Cygwin OpenSSL binaries and Win32
OpenSSL binaries and then re-release X2Go Client for Windows 4.0.2.1
with a new build # at the end."
However,
1. We are about to release X2Go Client 4.0.3.0.
2. I recently discovered that VcXsrv also bundles a copy of OpenSSL in
its source tree.[1][2] It then appears to statically link against it.
I do not know exactly to what degree it uses OpenSSL, I suspect it
merely uses its cryptography functions in limited ways. This would
probably make it unaffected by most OpenSSL vulns, but I do not wish
to do an analysis.
So what I think I'll do is this:
1. Update VcXsrv's OpenSSL source code and rebuild VcXsrv. The version
string will bump from 1.15.2.0-xp+vc2013+x2go1 to
1.15.2.1-xp+vc2013+x2go1.
2. Release X2Go Client 4.0.3.0 with the updated/rebuilt VcXsrv, the
Updated Cygwin OpenSSL, and the updated Win32 OpenSSL.
Note that we will still be bundling the very latest Cygwin packages,
except for OpenSSH. I will keep Cygwin OpenSSH at 6.6.1p1-2, rather
than 6.7p1-1, because there has not been enough time to test such a
large change to X2Go Client for Windows. Cygwin's OpenSSH was updated
on 2014-10-11.
Also note that VcXsrv 1.16.1.0 was released on 2014-10-13. (1.16.0.0
was never released.) I will not be upgrading to that on such short
notice.
-Mike#2
[1] http://sourceforge.net/p/vcxsrv/code/ci/master/tree/openssl/
[2] http://sourceforge.net/u/mikedep333/vcxsrv/ci/xp-latestmsvc2013-x2gochanges/tree/openssl/
More information about the x2go-dev
mailing list