x2go-announcements May 2014

x2go-announcements@lists.x2go.org

2 participants
10 discussions

X2Go Client for Windows (4.0.2.0+build2) released
by Mike DePaulo 29 May '14

29 May '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear all, this is to announce a new Windows-specific security update release of the X2Go component ,,x2goclient''. The change in this release of ,,x2goclient'' is: o VcXsrv was updated from 1.4.3.1 to 1.4.3.2. The difference is that VcXsrv 1.14.3.2 has backported fixes for X.Org vulnerabilities CVE-2014-0209, CVE-2014-0210, and CVE-2014-0211. All Windows users of 4.0.2.0 are strongly encouraged to update to 4.0.2.0+build2. This includes users of the ?misc? fonts and ?full? fonts builds. For more info on this release, see this page: http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.0.2.0 Regards, Mike DePaulo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlOHJ9QACgkQIFy22CVQsiuE5wD/XOfQkaH7c6v7+Kh2MxbmPRCX UIR59VQXDrbN0DbJQV4BAIFUQAxx/IMwRlmMIn23CvZnv+fOKKHnzEVwOJ1ksaur =QyZx -----END PGP SIGNATURE-----

1 0

X2Go on FLOSS Weekly (295)
by Mike Gabriel 23 May '14

23 May '14

Dear all, On May 21st 2014, the two Mikes (Gabriel|DePaulo) from the X2Go core developer team were interviewed about X2Go by the famous Randal L. Schwartz (merlyn) and equally famous Randi Harper (freebsdgirl) on the FLOSS Weekly Netcast [1]. If you’re having trouble watching the embedded video on that page, try one of the below alternatives: HD Video [2] SD Video, large [3] SD Video, small [4] Audio only [5] light+love, Mike#1 [1] http://twit.tv/floss295 [2] http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/floss/floss… [3] http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/floss/floss… [4] http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/floss/floss… [5] http://www.podtrac.com/pts/redirect.mp3/twit.cachefly.net/audio/floss/floss… -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

X2Go Announcement on Heartbleed (CVE-2014-0160)
by Michael DePaulo 19 May '14

19 May '14

I originally sent this email to x2go-announcements(a)lists.x2go.org on 2014-05-08 (UTC Time.) I am re-sending the email now because there was an issue that prevented x2go-announcements(a)lists.x2go.org from being synced with GMANE.org. -------- The following is the X2Go project's announcement on heartbleed (CVE-2014-0160) and what actions users & system administrators should take. 1. When X2Go (both X2Go Client and X2Go Server) is used without an X2Go Session Broker, X2Go is not vulnerable. If you do use X2Go without a session broker, no action is required in terms of X2Go. We still strongly advise you to install your Linux distro's patch for OpenSSL. We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go client for Mac OS X to 4.0.2.0, in order to avoid vulnerability scanners flagging X2Go Client as vulnerable. 2. When X2Go is used with an X2Go Session Broker, these X2Go components are vulnerable if the following conditions are met: a. X2Go Session Broker: If the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, and HTTPS is enabled. (If you are using x2gobroker-wsgi, HTTPS would be enabled in your apache configuration. If you are using x2gobroker-daemon, it would be enabled in /etc/default/x2gobroker-daemon .) b. X2Go Client for Linux: If the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, and HTTPS is used to connect to an X2Go Session broker. c. X2Go Client for Windows: If X2Go Client is at version 4.0.1.3+build2, and HTTPS is used to connect to the X2Go Session Broker. d. X2Go Client for Mac OS X: If X2Go Client is at version 4.0.1.3 or earlier, and HTTPS is used to connect to the X2Go Session Broker. e. PyHoca-GUI for Linux: If you are using a nightly build since 2014-03-18 (when broker support was 1st added,), the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, HTTPS is used to connect to an X2Go Session broker. f. PyHoca-CLI for Linux: If you are using a nightly build since 2014-03-03 (when broker support was 1st added,) the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, HTTPS is used to connect to an X2Go Session broker. (No released versions of PyHoca-GUI or PyHoca-CLI are vulnerable. Mac OS X builds and Windows builds have not been released for these nightly versions, only Linux builds have.) If you meet the aforementioned conditions, we recommend the following. Note that we recommend following the instructions even if you have installed the Linux distro's OpenSSL patch in a timely manner: X2Go Session Broker: a. Install your Linux distro's patch for OpenSSL (CVE-2014-0160) if you haven't done so already. b. Replace the SSL certificate used by X2Go Session Broker. Consult your Linux distro's instructions on doing so. If you are using x2gobroker-wsgi (X2Go Session Broker with Apache2 via the WSGI interface), the path to the SSL cert is specified in the Apache2 configuration. The SSL cert is auto-generated by default for apache2. If you are using x2gobroker-daemon, the path to the SSL cert is specified in /etc/default/x2gobroker-daemon . c. Reset the passwords for any user accounts that have been used with an X2Go Session Broker before the patch was installed. d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: sudo x2gobroker-keygen (To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker's memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker's memory, so it does not need to be replaced.) X2Go Server (follow these instructions if X2Go Session Broker was vulnerable): a. Reset the passwords for any user accounts that have been used with an X2Go Session Broker before the patch was installed. b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key: sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<broker-server>:<port>/<basepatch>/pubkeys/ X2Go Client: a. Patch X2Go Client, if you haven't already done so. On Linux, install your Linux Distro's patch for OpenSSL (CVE-2014-0160). On Windows, update X2Go Client to 4.0.2.0. Consult this page if you require info on what has changed since 4.0.1.3+build2: http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.0.2.0 On Mac OS X: update X2Go Client to 4.0.2.0. b. Replace all SSH private key / public key pairs that are used by X2Go Client to connect to an X2Go Session Broker, or to connect to an X2Go server. (To clarify, the SSH connection between an X2Go Client and an X2Go server is not vulnerable, but the SSH private key can be in the client's memory. The client could connect to an X2Go Session Broker over HTTPS, and then leak SSH private keys to the X2Go Session Broker.) PyHoca-GUI & PyHoca-CLI a. Patch PyHoca-GUI/PyHoca-CLI by installing your Linux Distro's patch for OpenSSL (CVE-2014-0160). b. Replace all SSH private key / public key pairs that are used by PyHoca-GUI/PyHoca-CLI to connect to an X2Go Session Broker, or to connect to an X2Go server. (To clarify, the SSH connection between an PyHoca-GUI/PyHoca-CLI and an X2Go server is not vulnerable, but the SSH private key can be in the client's memory. The client could connect to an X2Go Session Broker over HTTPS, and then leak SSH private keys to the X2Go Session Broker.) Fore the full technical details on why the X2Go Project is making these recommendations, follow this link: http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed Michael DePaulo X2Go Developer

1 0

CUPS X2Go Backend (3.0.1.0) released
by Mike Gabriel 18 May '14

18 May '14

Dear all, the X2Go project is proud to announce a new release of the X2Go component ,,cups-x2go''. New gains of this version of ,,cups-x2go'' are: o Provide example .spec file for RPM packaging o A little README that points you to more documentation o Debian packaging improvements Note: I just checked our announcements mailing list and saw that this post did not make it to our RSS feed at GMANE. Re-sending this mail, now that the RSS sync with our mailing lists has been fixed. X2Go Component: cups-x2go Version: 3.0.1.0 Status: RELEASE Date: Fri, 09 May 2014 09:16:45 +0200 Fixes these bug report(s): 298 299 Changes: cups-x2go (3.0.1.0) RELEASED; urgency=low . * New upstream version (3.0.1.0): - Add license file. (Fixes: #298). - Add a short README that provides some getting started information. (Fixes: #299). * debian/source/format: + Switch to format 1.0. * cups-x2go.spec: + Ship cups-x2go.spec (RPM package definitions) in upstream project. (Thanks to the Fedora package maintainers). + Drop (Fedora package) changelog. * debian/cups-x2go.postrm: + Remove special file permissions with dpkg-statoverride on postrm. Regards, Mike Gabriel -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

X2Go Client (4.0.2.0) released
by Mike Gabriel 18 May '14

18 May '14

Dear all, the X2Go project is proud to announce a new release of the X2Go component ,,x2goclient''. New gains of this version of ,,x2goclient'' are: o Fully support building againt libssh 0.6.x. o Provide solution for Google Authenticator support. o Provide a better help window. o Show changelog and git-log on the terminal (new options: --changelog, --git-info). o More improvement for the Mac OS X keyboard. o Fix of multimonitor support on Linux. o Use QNetworkAccessManager class for the communicatio with a broker http(s) server. o Allow OTP authentications against http(s) brokers o Fix pulseaudio integration on Windows (Big thanks to Mike#2 for the debugging effort and the communication to pulseaudio upstream!!!) Above all, Mike#2 (Michael DePaulo) has been very busy on testing and improving the MS Windows builds of X2Go Client. Thanks a lot for this!!! You have become a highly valuable member of the X2Go developers team. Good to have you on board!!! Note: I just checked our new announcements mailing list and saw that this post did not make it to our RSS feed at GMANE. Re-sending this mail now that RSS feed sync with our ML has been fixed. X2Go Component: x2goclient Version: 4.0.2.0 Status: RELEASE Date: Thu, 10 Apr 2014 13:47:56 +0200 Fixes these bug report(s): 138 349 422 440 446 448 453 Changes: x2goclient (4.0.2.0) RELEASED; urgency=low . [ Oleksandr Shneyder ] * New upstream version (4.0.2.0): - Revrite SSH Classes to support libssh fix. - Add Class HelpDialog to show options in scroll area. - Fix authentication on SSH Broker with key + passphrase. - Set modmap timer timeout to 10 sec on Mac. - Fix running xmodmap if X2Go Client not started from terminal. - Setting keyboard modifiers with xmodmap. - Fix multimonitor support on Linux. - Display more version info. Parameters --version, --git, --changelog. - Don't show GUI dialog for --version, --help, etc, if started from terminal on linux and mac. - If no user in session config, display system username in pass form. - Check if txt/changelog and txt/git exist on config phase. Rename option "--git" to "--git-info". - Change x2goclient.nsi for nightly builds. . [ Josh Lukens ] * New upstream version (4.0.2.0): - Switch to QNetworkAccessManager. Appropriately set content type header to "application/x-www-form-urlencoded" for HTTP post requests. (Fixes: #440, #138). - Fix copy+paste errors in QNetworkAccessManager code. - Provide support for dynamic authentication IDs. This is a requirement for using the broker client against brokers that use some sort of OTP authentication mechanism. (Fixes: #446). . [ Mike Gabriel ] * New upstream version (4.0.2.0): - Drop create_text.sh again, implement changelog copying in distro build files. Implement Git history creation for nightly builds in build scripts. - Rename txt/git to txt/git-info (make it compliant with cmdline options). - Allow starting shadow sessions from the command line with option --hidden being enabled. (Fixes: #349). * debian/control: + Build-depend on libssh-dev (>= 0.5.4-2). + Bump Standards: to 3.9.5. No changes needed. * debian/rules: + Copy debian/changelog into txt/ subfolder during dh_auto_configure. + Create txt/git-info files for ChangeLog.git if it exists. * x2goclient.spec: + Copy ChangeLog (or debian/changelog) into txt/ subfolder during %setup. + Copy ChangeLog.gitlog (if present) into txt/ subfolder during %setup. + B-R (epel-7): man2html-core (same as for Fedora builds). . [ Mike DePaulo ] * New upstream version (4.0.2.0): - Decrease HelpDialog's tab width from 320 to 30 (the width of 10 spaces.) (Fixes: #453) - Windows: Fix compatibility with PulseAudio 3.0 & later through new cookie handling. (Fixes: #422) - Windows: Upgrade included PulseAudio from 1.1 to 5.0. The 5.0 build is patched for X2Go bug #363. and available here: https://build.opensuse.org/project/show/home:mikedep333:branches:home:\ mkbosmans:mingw32:pulseaudio - Windows: Reapply KDE on Windows's patch for Pageant support to libssh 0.5.5. (Fixes: #448) Regards, Mike Gabriel -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

NX redistributed (3.5.0.24) released
by Mike Gabriel 18 May '14

18 May '14

Dear all, the X2Go project is proud to announce a new release of the X2Go component ,,nx-libs''. New gains of this version of ,,nx-libs'' are: o Fix keystroke detection / configuration. o Fix filename of keystrokes.cfg o Really provide 056_nx-X11-Werror-format-security.full.patch in release tarballs. Note: the release of this component already dates back by one week. We have been facing problems with our mailing list sync to GMANE, so I resend this release announcement as a test message. (Sorry for the SPAM to those who are subscribed to our announcements mailing lists directly). X2Go Component: nx-libs Version: 2:3.5.0.24 Status: RELEASE Date: Wed, 07 May 2014 09:55:48 +0200 Fixes these bug report(s): 488 Changes: nx-libs (2:3.5.0.24) RELEASED; urgency=low . * Clean up debian/patches/series: Remove commented out patches. * Make sure, patch 056_nx-X11-Werror-format-security.full.patch gets included into rolled tarball (by renaming *.patch to *.full.patch). * Update 320_nxagent_configurable-keystrokes.full.patch: The keystrokes config file's default name now is keystrokes.cfg (plural). * Configurable keystrokes: Don't ignore first XML element in keystrokes.cfg anymore. (Fixes: #488). * debian/control: + Fix: nx-libs source: not-binnmuable-all-depends-any x2goagent -> nxagent. Regards, Mike Gabriel -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

NX redistributed (3.5.0.24) released
by Mike Gabriel 17 May '14

17 May '14

Dear all, the X2Go project is proud to announce a new release of the X2Go component ,,nx-libs''. New gains of this version of ,,nx-libs'' are: o Fix keystroke detection / configuration. o Fix filename of keystrokes.cfg o Really provide 056_nx-X11-Werror-format-security.full.patch in release tarballs. Note: the release of this component already dates back by one week. Unfortunately, I forgot to send out this announcement to our mailing list. X2Go Component: nx-libs Version: 2:3.5.0.24 Status: RELEASE Date: Wed, 07 May 2014 09:55:48 +0200 Fixes these bug report(s): 488 Changes: nx-libs (2:3.5.0.24) RELEASED; urgency=low . * Clean up debian/patches/series: Remove commented out patches. * Make sure, patch 056_nx-X11-Werror-format-security.full.patch gets included into rolled tarball (by renaming *.patch to *.full.patch). * Update 320_nxagent_configurable-keystrokes.full.patch: The keystrokes config file's default name now is keystrokes.cfg (plural). * Configurable keystrokes: Don't ignore first XML element in keystrokes.cfg anymore. (Fixes: #488). * debian/control: + Fix: nx-libs source: not-binnmuable-all-depends-any x2goagent -> nxagent. Regards, Mike Gabriel -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

[X2Go-Announcements] X2Go Client (4.0.2.0) released
by Mike Gabriel 17 May '14

17 May '14

Dear all, the X2Go project is proud to announce a new release of the X2Go component ,,x2goclient''. New gains of this version of ,,x2goclient'' are: o Fully support building againt libssh 0.6.x. o Provide solution for Google Authenticator support. o Provide a better help window. o Show changelog and git-log on the terminal (new options: --changelog, --git-info). o More improvement for the Mac OS X keyboard. o Fix of multimonitor support on Linux. o Use QNetworkAccessManager class for the communicatio with a broker http(s) server. o Allow OTP authentications against http(s) brokers o Fix pulseaudio integration on Windows (Big thanks to Mike#2 for the debugging effort and the communication to pulseaudio upstream!!!) Above all, Mike#2 (Michael DePaulo) has been very busy on testing and improving the MS Windows builds of X2Go Client. Thanks a lot for this!!! You have become a highly valuable member of the X2Go developers team. Good to have you on board!!! Note: I just checked our new announcements mailing list and saw that this post did not make it to our new list. Re-sending this mail due to that. X2Go Component: x2goclient Version: 4.0.2.0 Status: RELEASE Date: Thu, 10 Apr 2014 13:47:56 +0200 Fixes these bug report(s): 138 349 422 440 446 448 453 Changes: x2goclient (4.0.2.0) RELEASED; urgency=low . [ Oleksandr Shneyder ] * New upstream version (4.0.2.0): - Revrite SSH Classes to support libssh fix. - Add Class HelpDialog to show options in scroll area. - Fix authentication on SSH Broker with key + passphrase. - Set modmap timer timeout to 10 sec on Mac. - Fix running xmodmap if X2Go Client not started from terminal. - Setting keyboard modifiers with xmodmap. - Fix multimonitor support on Linux. - Display more version info. Parameters --version, --git, --changelog. - Don't show GUI dialog for --version, --help, etc, if started from terminal on linux and mac. - If no user in session config, display system username in pass form. - Check if txt/changelog and txt/git exist on config phase. Rename option "--git" to "--git-info". - Change x2goclient.nsi for nightly builds. . [ Josh Lukens ] * New upstream version (4.0.2.0): - Switch to QNetworkAccessManager. Appropriately set content type header to "application/x-www-form-urlencoded" for HTTP post requests. (Fixes: #440, #138). - Fix copy+paste errors in QNetworkAccessManager code. - Provide support for dynamic authentication IDs. This is a requirement for using the broker client against brokers that use some sort of OTP authentication mechanism. (Fixes: #446). . [ Mike Gabriel ] * New upstream version (4.0.2.0): - Drop create_text.sh again, implement changelog copying in distro build files. Implement Git history creation for nightly builds in build scripts. - Rename txt/git to txt/git-info (make it compliant with cmdline options). - Allow starting shadow sessions from the command line with option --hidden being enabled. (Fixes: #349). * debian/control: + Build-depend on libssh-dev (>= 0.5.4-2). + Bump Standards: to 3.9.5. No changes needed. * debian/rules: + Copy debian/changelog into txt/ subfolder during dh_auto_configure. + Create txt/git-info files for ChangeLog.git if it exists. * x2goclient.spec: + Copy ChangeLog (or debian/changelog) into txt/ subfolder during %setup. + Copy ChangeLog.gitlog (if present) into txt/ subfolder during %setup. + B-R (epel-7): man2html-core (same as for Fedora builds). . [ Mike DePaulo ] * New upstream version (4.0.2.0): - Decrease HelpDialog's tab width from 320 to 30 (the width of 10 spaces.) (Fixes: #453) - Windows: Fix compatibility with PulseAudio 3.0 & later through new cookie handling. (Fixes: #422) - Windows: Upgrade included PulseAudio from 1.1 to 5.0. The 5.0 build is patched for X2Go bug #363. and available here: https://build.opensuse.org/project/show/home:mikedep333:branches:home:\ mkbosmans:mingw32:pulseaudio - Windows: Reapply KDE on Windows's patch for Pageant support to libssh 0.5.5. (Fixes: #448) Regards, Mike Gabriel -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

[X2Go-Announcements] CUPS X2Go Backend (3.0.1.0) released
by Mike Gabriel 17 May '14

17 May '14

Dear all, the X2Go project is proud to announce a new release of the X2Go component ,,cups-x2go''. New gains of this version of ,,cups-x2go'' are: o Provide example .spec file for RPM packaging o A little README that points you to more documentation o Debian packaging improvements Note: I just checked our announcements mailing list and saw that this post did not make it to our new list. Re-sending this mail due to that. X2Go Component: cups-x2go Version: 3.0.1.0 Status: RELEASE Date: Fri, 09 May 2014 09:16:45 +0200 Fixes these bug report(s): 298 299 Changes: cups-x2go (3.0.1.0) RELEASED; urgency=low . * New upstream version (3.0.1.0): - Add license file. (Fixes: #298). - Add a short README that provides some getting started information. (Fixes: #299). * debian/source/format: + Switch to format 1.0. * cups-x2go.spec: + Ship cups-x2go.spec (RPM package definitions) in upstream project. (Thanks to the Fedora package maintainers). + Drop (Fedora package) changelog. * debian/cups-x2go.postrm: + Remove special file permissions with dpkg-statoverride on postrm. Regards, Mike Gabriel -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel(a)das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x…

1 0

[X2Go-Announcements] X2Go Announcement on Heartbleed (CVE-2014-0160)
by Michael DePaulo 08 May '14

08 May '14

The following is the X2Go project's announcement on heartbleed (CVE-2014-0160) and what actions users & system administrators should take. 1. When X2Go (both X2Go Client and X2Go Server) is used without an X2Go Session Broker, X2Go is not vulnerable. If you do use X2Go without a session broker, no action is required in terms of X2Go. We still strongly advise you to install your Linux distro's patch for OpenSSL. We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go client for Mac OS X to 4.0.2.0, in order to avoid vulnerability scanners flagging X2Go Client as vulnerable. 2. When X2Go is used with an X2Go Session Broker, these X2Go components are vulnerable if the following conditions are met: a. X2Go Session Broker: If the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, and HTTPS is enabled. (If you are using x2gobroker-wsgi, HTTPS would be enabled in your apache configuration. If you are using x2gobroker-daemon, it would be enabled in /etc/default/x2gobroker-daemon .) b. X2Go Client for Linux: If the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, and HTTPS is used to connect to an X2Go Session broker. c. X2Go Client for Windows: If X2Go Client is at version 4.0.1.3+build2, and HTTPS is used to connect to the X2Go Session Broker. d. X2Go Client for Mac OS X: If X2Go Client is at version 4.0.1.3 or earlier, and HTTPS is used to connect to the X2Go Session Broker. e. PyHoca-GUI for Linux: If you are using a nightly build since 2014-03-18 (when broker support was 1st added,), the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, HTTPS is used to connect to an X2Go Session broker. f. PyHoca-CLI for Linux: If you are using a nightly build since 2014-03-03 (when broker support was 1st added,) the Linux distro uses OpenSSL 1.0.1, the Linux distro's CVE-2014-0160 patch is not installed, HTTPS is used to connect to an X2Go Session broker. (No released versions of PyHoca-GUI or PyHoca-CLI are vulnerable. Mac OS X builds and Windows builds have not been released for these nightly versions, only Linux builds have.) If you meet the aforementioned conditions, we recommend the following. Note that we recommend following the instructions even if you have installed the Linux distro's OpenSSL patch in a timely manner: X2Go Session Broker: a. Install your Linux distro's patch for OpenSSL (CVE-2014-0160) if you haven't done so already. b. Replace the SSL certificate used by X2Go Session Broker. Consult your Linux distro's instructions on doing so. If you are using x2gobroker-wsgi (X2Go Session Broker with Apache2 via the WSGI interface), the path to the SSL cert is specified in the Apache2 configuration. The SSL cert is auto-generated by default for apache2. If you are using x2gobroker-daemon, the path to the SSL cert is specified in /etc/default/x2gobroker-daemon . c. Reset the passwords for any user accounts that have been used with an X2Go Session Broker before the patch was installed. d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: sudo x2gobroker-keygen (To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker's memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker's memory, so it does not need to be replaced.) X2Go Server (follow these instructions if X2Go Session Broker was vulnerable): a. Reset the passwords for any user accounts that have been used with an X2Go Session Broker before the patch was installed. b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key: sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<broker-server>:<port>/<basepatch>/pubkeys/ X2Go Client: a. Patch X2Go Client, if you haven't already done so. On Linux, install your Linux Distro's patch for OpenSSL (CVE-2014-0160). On Windows, update X2Go Client to 4.0.2.0. Consult this page if you require info on what has changed since 4.0.1.3+build2: http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.0.2.0 On Mac OS X: update X2Go Client to 4.0.2.0. b. Replace all SSH private key / public key pairs that are used by X2Go Client to connect to an X2Go Session Broker, or to connect to an X2Go server. (To clarify, the SSH connection between an X2Go Client and an X2Go server is not vulnerable, but the SSH private key can be in the client's memory. The client could connect to an X2Go Session Broker over HTTPS, and then leak SSH private keys to the X2Go Session Broker.) PyHoca-GUI & PyHoca-CLI a. Patch PyHoca-GUI/PyHoca-CLI by installing your Linux Distro's patch for OpenSSL (CVE-2014-0160). b. Replace all SSH private key / public key pairs that are used by PyHoca-GUI/PyHoca-CLI to connect to an X2Go Session Broker, or to connect to an X2Go server. (To clarify, the SSH connection between an PyHoca-GUI/PyHoca-CLI and an X2Go server is not vulnerable, but the SSH private key can be in the client's memory. The client could connect to an X2Go Session Broker over HTTPS, and then leak SSH private keys to the X2Go Session Broker.) Fore the full technical details on why the X2Go Project is making these recommendations, follow this link: http://wiki.x2go.org/doku.php/security:cve-announcements:heartbleed Michael DePaulo X2Go Developer

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

x2go-announcements May 2014