X2Go Client for Windows (4.0.3.1-20150119) released

[Mike DePaulo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear all,

This is to announce a new Windows-specific release of the X2Go
component ,,x2goclient''

Note that the 1st release of X2Go Client 4.0.3.1 for Windows
was 4.0.3.1-20141214. The changes are relative to that release.

The changes in this release of ,,x2goclient'' are:

  o Windows: Win32 OpenSSL updated from 1.0.1j to 1.0.1L, which
    fixes the CVEs announced on 2015-01-08.
  o Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which
    fixes the CVEs announced on 2015-01-08.
  o Windows: Bundle new version of VcXsrv: 1.15.2.2-xp+vc2013+x2go1.
    The differences from 1.15.2.1-xp+vc2013+x2go1 are that its bundled
    OpenSSL has been updated to 1.0.1k, and that xorg-server
    CVE-2014-8091..8103 have been fixed.
  o Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining
    Pageant support). This fixes CVE-2014-8132, which shouldn't
    affect x2goclient because x2goclient uses the SSH client
    functionality, not the SSH server functionality.
    0.6.4 also added 4 features related to ECDSA keys.

As with most vulnerabilities in 3rd party software, the X2Go project
has not done an analysis of whether X2Go Client was actually affected
by these vulnerabilities (except for libssh CVE-2014-8132.) However,
as a precaution, we are releasing this updated build of X2Go Client
for Windows. Unless an analysis is performed for each vulnerability,
we strongly encourage all users to update.

For the Windows-specific release notes for this release, see this page:
http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.0.3.1

Regards,
Mike DePaulo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iF4EAREIAAYFAlTDKFkACgkQIFy22CVQsitu3wEA6IWC5BdNFqib0ifSvIrhYkAI
nwbXGCcjQQZT5Y03Q9kBAOkZQ3b7lar71BfBBZhrqACqpNh5lN2c/MhkcH1+kGIm
=f6KC
-----END PGP SIGNATURE-----