This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit df4a3b7270539843ae76275485ca76efcdf361d9 Author: Mike DePaulo <mikedep333@gmail.com> Date: Sun Feb 8 19:16:38 2015 -0500 Fix CVE-2011-4028: File disclosure vulnerability. upstream xorg/xserver commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. --- nx-X11/programs/Xserver/os/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c index 9b2431a..79e49d5 100644 --- a/nx-X11/programs/Xserver/os/utils.c +++ b/nx-X11/programs/Xserver/os/utils.c @@ -483,7 +483,7 @@ LockServer(void) /* * Read the pid from the existing file */ - lfd = open(LockFile, O_RDONLY); + lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); if (lfd < 0) { unlink(tmp); FatalError("Can't read lock file %s\n", LockFile); -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git