So more OpenSSL vulnerabilities were announced yesterday: https://www.openssl.org/news/secadv_20141015.txt
And OpenSSL 1.0.1j was released. My normal process would be "Update Cygwin OpenSSL binaries and Win32 OpenSSL binaries and then re-release X2Go Client for Windows 4.0.2.1 with a new build # at the end." However, 1. We are about to release X2Go Client 4.0.3.0. 2. I recently discovered that VcXsrv also bundles a copy of OpenSSL in its source tree.[1][2] It then appears to statically link against it. I do not know exactly to what degree it uses OpenSSL, I suspect it merely uses its cryptography functions in limited ways. This would probably make it unaffected by most OpenSSL vulns, but I do not wish to do an analysis. So what I think I'll do is this: 1. Update VcXsrv's OpenSSL source code and rebuild VcXsrv. The version string will bump from 1.15.2.0-xp+vc2013+x2go1 to 1.15.2.1-xp+vc2013+x2go1. 2. Release X2Go Client 4.0.3.0 with the updated/rebuilt VcXsrv, the Updated Cygwin OpenSSL, and the updated Win32 OpenSSL. Note that we will still be bundling the very latest Cygwin packages, except for OpenSSH. I will keep Cygwin OpenSSH at 6.6.1p1-2, rather than 6.7p1-1, because there has not been enough time to test such a large change to X2Go Client for Windows. Cygwin's OpenSSH was updated on 2014-10-11. Also note that VcXsrv 1.16.1.0 was released on 2014-10-13. (1.16.0.0 was never released.) I will not be upgrading to that on such short notice. -Mike#2 [1] http://sourceforge.net/p/vcxsrv/code/ci/master/tree/openssl/ [2] http://sourceforge.net/u/mikedep333/vcxsrv/ci/xp-latestmsvc2013-x2gochanges/tree/openssl/ _______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org http://lists.x2go.org/listinfo/x2go-dev