The latest version of VcXsrv, 1.15.0, contains the vulnerability CVE-2013-6462 in the component libXfont 1.4.6.
The vulnerability is fixed in libXfont 1.4.7 and VcXsrv's master branch contains that update/fix. I just sent the VcXsrv developer "marha" a message through SourceForge.net. I am hoping he will respond soon. I would like to avoid releasing X2Go Client 4.0.2.0 with the vulnerable VcXsrv if at all possible. As I mentioned below, I'll try to compile VcXsrv's master branch if he will not release a new VcXsrv soon. I will also try to compile the master this evening if he does not respond by then. -Mike ----------------------- Hi, I'm the Windows maintainer on the X2Go project. We bundle VcXsrv in our Windows builds of the X2Go Client. http://www.x2go.org We are about to release X2Go Client 4.0.2.0, but I'd very much not like to do so with VcXsrv 1.15.0 because of the vulnerability in libXfont 1.4.6: https://sourceforge.net/p/vcxsrv/bugs/17/ Even if we and most users would never trigger that vulnerability, shipping vulnerable code is still an issue because vulnerability scanning software like Mcafee Vulnerability Manager might flag VcXsrv 1.15.0 and tell system administrators that they must upgrade. So I ask that you please release a new version of VcXsrv (presumably 1.15.0.1) within the next few days based on commit [d02e67] or later. I would be happy to test it. If you do not, I will look into compiling [d02e67] or later myself. Thanks, Mike DePaulo On Wed, Mar 19, 2014 at 11:03 PM, Michael DePaulo <mikedep...@gmail.com> wrote: > On Wed, Mar 19, 2014 at 3:03 AM, Mike Gabriel > <mike.gabr...@das-netzwerkteam.de> wrote: >> On Mi 19 Mär 2014 04:59:30 CET, Michael DePaulo wrote: >>> 3. Tomorrow I would put out a nightly build out with following newer >>> dependencies. I would appreciate a few days for testing: >>> -Latest Cygwin files >>> -OpenSSH 6.6p1 with our patch ported and applied >>> (patch here: http://code.x2go.org/releases/source/openssh-cygwin/) >>> -nx-libx 3.5.0.22 linked against the latest cygwin (I have been >>> providing 3.5.0.22 linked against the older cygwin) >>> -VcXsrv 1.14.5 (see the email thread "Windows X2Go Client: Windows XP >>> & VcXsrv security vulnerabilities" for more info.) >>> -libpng 1.2.51 >>> >>> The main reason for these dependency updates/upgrades is that there >>> are some security vulnerabilities in the current cygwin files, OpenSSH >>> 6.1p1, and in VcXsrv 1.14.2.1. >>> >>> -Mike#2 >> >> >> +1 from me! > > The build is out: > https://lists.berlios.de/pipermail/x2go-user/2014-March/002121.html > I would like either 1 or 2 more days of testing. Nobody has replied yet. > > Also, > I confirmed that bug 421 (X2goclient on Windows: sshd.exe does not > start.) is a bug. > http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=421 > > However, I recommend that we do not delay the 4.0.2.0 release for a fix > because: > 1. It only affects Windows XP. > 2. It was introduced in 4.0.1.2. However, 4.0.0.3 (the previous win32 > build) had folder sharing broken for some other reason. (4.0.0.3 > actually had folder sharing broken on newer Windows client OSs too.) > 3. I do not know what the cause is or how long it will take to fix. > > -Mike#2 _______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
