[X2Go-Dev] schedule release of X2Go Client 4.0.2.0
Michael DePaulo
mikedep333 at gmail.com
Mon Mar 31 15:20:22 CEST 2014
Also, I did report the vulnerability as a bug in VcXsrv's bug tracker
6 days ago:
https://sourceforge.net/p/vcxsrv/bugs/17/
On Mon, Mar 31, 2014 at 9:19 AM, Michael DePaulo <mikedep333 at gmail.com> wrote:
> The latest version of VcXsrv, 1.15.0, contains the vulnerability
> CVE-2013-6462 in the component libXfont 1.4.6.
>
> The vulnerability is fixed in libXfont 1.4.7 and VcXsrv's master
> branch contains that update/fix.
>
> I just sent the VcXsrv developer "marha" a message through
> SourceForge.net. I am hoping he will respond soon. I would like to
> avoid releasing X2Go Client 4.0.2.0 with the vulnerable VcXsrv if at
> all possible. As I mentioned below, I'll try to compile VcXsrv's
> master branch if he will not release a new VcXsrv soon. I will also
> try to compile the master this evening if he does not respond by then.
>
> -Mike
>
> -----------------------
>
> Hi,
>
> I'm the Windows maintainer on the X2Go project. We bundle VcXsrv in
> our Windows builds of the X2Go Client.
> http://www.x2go.org
>
> We are about to release X2Go Client 4.0.2.0, but I'd very much not
> like to do so with VcXsrv 1.15.0 because of the vulnerability in
> libXfont 1.4.6:
> https://sourceforge.net/p/vcxsrv/bugs/17/
> Even if we and most users would never trigger that vulnerability,
> shipping vulnerable code is still an issue because vulnerability
> scanning software like Mcafee Vulnerability Manager might flag VcXsrv
> 1.15.0 and tell system administrators that they must upgrade.
>
> So I ask that you please release a new version of VcXsrv (presumably
> 1.15.0.1) within the next few days based on commit [d02e67] or later.
> I would be happy to test it.
>
> If you do not, I will look into compiling [d02e67] or later myself.
>
> Thanks,
> Mike DePaulo
>
> On Wed, Mar 19, 2014 at 11:03 PM, Michael DePaulo <mikedep333 at gmail.com> wrote:
>> On Wed, Mar 19, 2014 at 3:03 AM, Mike Gabriel
>> <mike.gabriel at das-netzwerkteam.de> wrote:
>>> On Mi 19 Mär 2014 04:59:30 CET, Michael DePaulo wrote:
>>>> 3. Tomorrow I would put out a nightly build out with following newer
>>>> dependencies. I would appreciate a few days for testing:
>>>> -Latest Cygwin files
>>>> -OpenSSH 6.6p1 with our patch ported and applied
>>>> (patch here: http://code.x2go.org/releases/source/openssh-cygwin/)
>>>> -nx-libx 3.5.0.22 linked against the latest cygwin (I have been
>>>> providing 3.5.0.22 linked against the older cygwin)
>>>> -VcXsrv 1.14.5 (see the email thread "Windows X2Go Client: Windows XP
>>>> & VcXsrv security vulnerabilities" for more info.)
>>>> -libpng 1.2.51
>>>>
>>>> The main reason for these dependency updates/upgrades is that there
>>>> are some security vulnerabilities in the current cygwin files, OpenSSH
>>>> 6.1p1, and in VcXsrv 1.14.2.1.
>>>>
>>>> -Mike#2
>>>
>>>
>>> +1 from me!
>>
>> The build is out:
>> https://lists.berlios.de/pipermail/x2go-user/2014-March/002121.html
>> I would like either 1 or 2 more days of testing. Nobody has replied yet.
>>
>> Also,
>> I confirmed that bug 421 (X2goclient on Windows: sshd.exe does not
>> start.) is a bug.
>> http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=421
>>
>> However, I recommend that we do not delay the 4.0.2.0 release for a fix because:
>> 1. It only affects Windows XP.
>> 2. It was introduced in 4.0.1.2. However, 4.0.0.3 (the previous win32
>> build) had folder sharing broken for some other reason. (4.0.0.3
>> actually had folder sharing broken on newer Windows client OSs too.)
>> 3. I do not know what the cause is or how long it will take to fix.
>>
>> -Mike#2
More information about the x2go-dev
mailing list