-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear all,
This is to announce a new Windows-specific release of the X2Go component ,,x2goclient''
Note that the 1st release of X2Go Client 4.0.3.1 for Windows was 4.0.3.1-20141214. The changes are relative to that release.
The changes in this release of ,,x2goclient'' are:
o Windows: Win32 OpenSSL updated from 1.0.1j to 1.0.1L, which fixes the CVEs announced on 2015-01-08. o Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which fixes the CVEs announced on 2015-01-08. o Windows: Bundle new version of VcXsrv: 1.15.2.2-xp+vc2013+x2go1. The differences from 1.15.2.1-xp+vc2013+x2go1 are that its bundled OpenSSL has been updated to 1.0.1k, and that xorg-server CVE-2014-8091..8103 have been fixed. o Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining Pageant support). This fixes CVE-2014-8132, which shouldn't affect x2goclient because x2goclient uses the SSH client functionality, not the SSH server functionality. 0.6.4 also added 4 features related to ECDSA keys.
As with most vulnerabilities in 3rd party software, the X2Go project has not done an analysis of whether X2Go Client was actually affected by these vulnerabilities (except for libssh CVE-2014-8132.) However, as a precaution, we are releasing this updated build of X2Go Client for Windows. Unless an analysis is performed for each vulnerability, we strongly encourage all users to update.
For the Windows-specific release notes for this release, see this page: http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.0.3.1
Regards, Mike DePaulo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux)
iF4EAREIAAYFAlTDKFkACgkQIFy22CVQsitu3wEA6IWC5BdNFqib0ifSvIrhYkAI nwbXGCcjQQZT5Y03Q9kBAOkZQ3b7lar71BfBBZhrqACqpNh5lN2c/MhkcH1+kGIm =f6KC -----END PGP SIGNATURE-----