On Mon, Mar 31, 2014 at 10:09 AM, Mike Gabriel <mike.gabr...@das-netzwerkteam.de> wrote: > Hi Michael, > > > On Mo 31 Mär 2014 15:19:07 CEST, Michael DePaulo wrote: > >> The latest version of VcXsrv, 1.15.0, contains the vulnerability >> CVE-2013-6462 in the component libXfont 1.4.6. >> >> The vulnerability is fixed in libXfont 1.4.7 and VcXsrv's master >> branch contains that update/fix. >> >> I just sent the VcXsrv developer "marha" a message through >> SourceForge.net. I am hoping he will respond soon. I would like to >> avoid releasing X2Go Client 4.0.2.0 with the vulnerable VcXsrv if at >> all possible. As I mentioned below, I'll try to compile VcXsrv's >> master branch if he will not release a new VcXsrv soon. I will also >> try to compile the master this evening if he does not respond by then. >> >> -Mike > > > are you sure you want to dive into building VcXsrv? We can also wait a > little more to get that fixed by marha. > > Or we could release and provide builds for Win32 a little later.
Wow. He didn't reply to my sourceforge message or the bug report. But he did post a new version of VcXsrv with the fix, and some other updates: https://sourceforge.net/projects/vcxsrv/files/vcxsrv/1.15.0.1/ I will update X2Go-WinBuilder, do a nightly build, and test X2Go Client. > On the other hand, it problable might be a benefit to be in charge of your > own VcXsrv builds. Maybe not now, but maybe later. This is on the back of my mind (along with a 64-bit windows build of x2goclient + nx-libs.) You see, VcXsrv is now compiled with VS 2012, so the official releases are incompatible with XP. However, as stated on their site, only the makefiles are incompatible with VS 2010 (XP compatible), the source code is still compatible. So later on, I'll look into how much work it would be to compile the latest VcXsrv with VS 2010 so that XP users can get security fixes (in addition to the other changes in newer versions.) -Mike#2 _______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
