-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear all,
This is to announce a new Windows-specific release of the X2Go
component ,,x2goclient''
Note that the 1st release of X2Go Client 4.0.3.1 for Windows
was 4.0.3.1-20141214. The changes are relative to that release.
The changes in this release of ,,x2goclient'' are:
o Windows: Win32 OpenSSL updated from 1.0.1j to 1.0.1L, which
fixes the CVEs announced on 2015-01-08.
o Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which
fixes the CVEs announced on 2015-01-08.
o Windows: Bundle new version of VcXsrv: 1.15.2.2-xp+vc2013+x2go1.
The differences from 1.15.2.1-xp+vc2013+x2go1 are that its bundled
OpenSSL has been updated to 1.0.1k, and that xorg-server
CVE-2014-8091..8103 have been fixed.
o Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining
Pageant support). This fixes CVE-2014-8132, which shouldn't
affect x2goclient because x2goclient uses the SSH client
functionality, not the SSH server functionality.
0.6.4 also added 4 features related to ECDSA keys.
As with most vulnerabilities in 3rd party software, the X2Go project
has not done an analysis of whether X2Go Client was actually affected
by these vulnerabilities (except for libssh CVE-2014-8132.) However,
as a precaution, we are releasing this updated build of X2Go Client
for Windows. Unless an analysis is performed for each vulnerability,
we strongly encourage all users to update.
For the Windows-specific release notes for this release, see this page:
http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.0.3.1
Regards,
Mike DePaulo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iF4EAREIAAYFAlTDKFkACgkQIFy22CVQsitu3wEA6IWC5BdNFqib0ifSvIrhYkAI
nwbXGCcjQQZT5Y03Q9kBAOkZQ3b7lar71BfBBZhrqACqpNh5lN2c/MhkcH1+kGIm
=f6KC
-----END PGP SIGNATURE-----
_______________________________________________
x2go-announcements mailing list
x2go-announcements@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-announcements
