So more OpenSSL vulnerabilities were announced yesterday: https://www.openssl.org/news/secadv_20141015.txt
And OpenSSL 1.0.1j was released.
My normal process would be "Update Cygwin OpenSSL binaries and Win32 OpenSSL binaries and then re-release X2Go Client for Windows 4.0.2.1 with a new build # at the end."
However, probably make it unaffected by most OpenSSL vulns, but I do not wish
- We are about to release X2Go Client 4.0.3.0.
- I recently discovered that VcXsrv also bundles a copy of OpenSSL in its source tree.[1][2] It then appears to statically link against it. I do not know exactly to what degree it uses OpenSSL, I suspect it merely uses its cryptography functions in limited ways. This would
to do an analysis.
So what I think I'll do is this:
- Update VcXsrv's OpenSSL source code and rebuild VcXsrv. The version string will bump from 1.15.2.0-xp+vc2013+x2go1 to 1.15.2.1-xp+vc2013+x2go1.
- Release X2Go Client 4.0.3.0 with the updated/rebuilt VcXsrv, the Updated Cygwin OpenSSL, and the updated Win32 OpenSSL.
Note that we will still be bundling the very latest Cygwin packages, except for OpenSSH. I will keep Cygwin OpenSSH at 6.6.1p1-2, rather than 6.7p1-1, because there has not been enough time to test such a large change to X2Go Client for Windows. Cygwin's OpenSSH was updated on 2014-10-11.
Also note that VcXsrv 1.16.1.0 was released on 2014-10-13. (1.16.0.0 was never released.) I will not be upgrading to that on such short notice.
-Mike#2
[1] http://sourceforge.net/p/vcxsrv/code/ci/master/tree/openssl/ [2] http://sourceforge.net/u/mikedep333/vcxsrv/ci/xp-latestmsvc2013-x2gochanges/...