Hi all,

I have been noticed about a root exploit in X2Go Server code. This
vulnerability has been (hopefully) fixed in X2Go Server 4.0.1.10 (and
in the LTS release branch 4.0.0.8).

This issue has now been a CVE ID to. Please see below.

All distributors of X2Go Server, please provide package upgrades to
your distribution.

Thanks+Greets, Mike

----- Weitergeleitete Nachricht von cve-assign@mitre.org ----- Datum: Sat, 4 Jan 2014 11:23:29 -0500 (EST) Von: cve-assign@mitre.org Betreff: Re: root exploit in X2Go Server An: mike.gabriel@das-netzwerkteam.de Cc: cve-assign@mitre.org

this is to request or a CVE-ID. We have been reported and we have fixed a root exploit in X2Go Server.

In versions of X2Go Server previous to 4.0.0.8 (LTS release branch) and previous to 4.0.1.10 (main release branch) a normal user could gain root access to X2Go Server machines.

The vulnerability has been fixed by these commits

http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c2036a1152a7e572... http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=80ff6997550749a6...

Use CVE-2013-7261 for this issue involving root access through the use of shell metacharacters.

CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]

----- Ende der weitergeleiteten Nachricht -----

--

DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...