-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On Sat, Feb 14, 2015 at 12:43 PM, Mike DePaulo <mikedep333@gmail.com> wrote:
... https://docs.google.com/spreadsheets/d/1WeneRYO2TkXYOl5J0WozThsLkreF1DiuJAvK...
...
Also, note that by default, X2GO launches nxagent (the nx-libs X server) with "-nolisten tcp". This is configurable in /etc/x2go/x2goagent.options . This setting mitigates many of the vulnerabilities by preventing nxagent from ever talking to X11 clients not running on the X2Go Server. I will now be determining which vulnerabilities it does mitigate.
Most CVEs are mitigated by "-nolisten TCP", or are N/A because the CVEs can only be exploited by local X11 clients (X11 applications) anyway.
"-nolisten TCP" is especially important for mitigating CVE-2014-8091 because an X11 client need not be authenticated to exploit it. An exploit would result in nxagent (and thus your X2Go session) crashing.
(In layman's terms, unless you kept "-nolisten TCP" set, someone on the network can crash every X2Go session running on an X2Go server.)
2 CVEs are not mitigated by "-nolisten TCP": 2014-0210 CVE-2014-0211 A malicious remote X Font Server can trigger these vulnerabilities, even when the X11 clients are running locally on the X2Go server.
- -Mike#2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iF4EAREIAAYFAlTgn+8ACgkQIFy22CVQsitHFwD/X2v6kUmf1+vVGbG5gvYMAT7d YlZ5Ks62wwK6eSutNR0BAJAI7H83e8TBtIc3vs0OIZamn3tCfBwJ3WZsjwOWT7WC =eykp -----END PGP SIGNATURE-----