[X2Go-Dev] Status of fixing CVE-2015-0255 (2015-02-10)

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Tue Feb 17 22:34:53 CET 2015


Hi Mike#2,

On  Di 17 Feb 2015 18:48:26 CET, Mihai Moldovan wrote:

> On 17.02.2015 02:39 PM, Michael DePaulo wrote:
>> On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo  
>> <mikedep333 at gmail.com> wrote:
>>> I am looking into fixing the recently announced X.org vulnerability
>>> (CVE-2015-0255) in nx-libs.
>>> http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
>>>
>>> It looks like nx-libs is affected.
>>>
>>> It also looks like some distros (Fedora, Debian) have fixed it, while
>>> others (RHEL 5, 6 and 7, Debian LTS) have not.
>>>
>>> It also looks like the X.org 1.16.x commits are easier to apply to
>>> nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are
>>> linked to on that advisory page.
>>>
>>> The X.org 1.16.x commits are here:
>>> the branch:
>>> http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch
>>> the prereq:
>>> http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4
>>> the fix itself:
>>> http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b
>>>
>>> -Mike#2
>> Status Update:
>>
>> I managed to backport the prereq commit to nx-libs 3.6.x.
>> http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d26b458d8bd6cf3c560
>
> LGTM, thanks!
>
>
>
> Mihai

Please directly apply the patch on top of the 3.6.x code and push to  
3.6.x branches (Arctica/X2Go nx-libs repo).

I will backport the patch to the 3.5.0.x branch for X2Go (and Arctica)  
(or you may do it yourself: Please use the Git commit from the 3.6.x  
branch in debian/patches/ for this). Similar to how I backported the  
other 40 patches you provided.

Thanks+Greets,
Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150217/8b54cc72/attachment.pgp>


More information about the x2go-dev mailing list