Hi all,I have been noticed about a root exploit in X2Go Server code. This vulnerability has been (hopefully) fixed in X2Go Server 4.0.1.10 (and in the LTS release branch 4.0.0.8).
This issue has now been a CVE ID to. Please see below.All distributors of X2Go Server, please provide package upgrades to your distribution.
Thanks+Greets,
Mike
----- Weitergeleitete Nachricht von cve-ass...@mitre.org -----
Datum: Sat, 4 Jan 2014 11:23:29 -0500 (EST)
Von: cve-ass...@mitre.org
Betreff: Re: root exploit in X2Go Server
An: mike.gabr...@das-netzwerkteam.de
Cc: cve-ass...@mitre.org
this is to request or a CVE-ID. We have been reported and we have fixed a root exploit in X2Go Server. In versions of X2Go Server previous to 4.0.0.8 (LTS release branch) and previous to 4.0.1.10 (main release branch) a normal user could gain root access to X2Go Server machines. The vulnerability has been fixed by these commits http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c2036a1152a7e57286ffeb8e8859177f8de64a33 http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=80ff6997550749a64dd5db5684acbd47a4127ab3
Use CVE-2013-7261 for this issue involving root access through the use of shell metacharacters. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] ----- Ende der weitergeleiteten Nachricht ----- -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgp0487JL7Ke3.pgp
Description: Digitale PGP-Signatur
_______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
