Also, I did report the vulnerability as a bug in VcXsrv's bug tracker 6 days ago: https://sourceforge.net/p/vcxsrv/bugs/17/
On Mon, Mar 31, 2014 at 9:19 AM, Michael DePaulo <[email protected]> wrote: > The latest version of VcXsrv, 1.15.0, contains the vulnerability > CVE-2013-6462 in the component libXfont 1.4.6. > > The vulnerability is fixed in libXfont 1.4.7 and VcXsrv's master > branch contains that update/fix. > > I just sent the VcXsrv developer "marha" a message through > SourceForge.net. I am hoping he will respond soon. I would like to > avoid releasing X2Go Client 4.0.2.0 with the vulnerable VcXsrv if at > all possible. As I mentioned below, I'll try to compile VcXsrv's > master branch if he will not release a new VcXsrv soon. I will also > try to compile the master this evening if he does not respond by then. > > -Mike > > ----------------------- > > Hi, > > I'm the Windows maintainer on the X2Go project. We bundle VcXsrv in > our Windows builds of the X2Go Client. > http://www.x2go.org > > We are about to release X2Go Client 4.0.2.0, but I'd very much not > like to do so with VcXsrv 1.15.0 because of the vulnerability in > libXfont 1.4.6: > https://sourceforge.net/p/vcxsrv/bugs/17/ > Even if we and most users would never trigger that vulnerability, > shipping vulnerable code is still an issue because vulnerability > scanning software like Mcafee Vulnerability Manager might flag VcXsrv > 1.15.0 and tell system administrators that they must upgrade. > > So I ask that you please release a new version of VcXsrv (presumably > 1.15.0.1) within the next few days based on commit [d02e67] or later. > I would be happy to test it. > > If you do not, I will look into compiling [d02e67] or later myself. > > Thanks, > Mike DePaulo > > On Wed, Mar 19, 2014 at 11:03 PM, Michael DePaulo <[email protected]> > wrote: >> On Wed, Mar 19, 2014 at 3:03 AM, Mike Gabriel >> <[email protected]> wrote: >>> On Mi 19 Mär 2014 04:59:30 CET, Michael DePaulo wrote: >>>> 3. Tomorrow I would put out a nightly build out with following newer >>>> dependencies. I would appreciate a few days for testing: >>>> -Latest Cygwin files >>>> -OpenSSH 6.6p1 with our patch ported and applied >>>> (patch here: http://code.x2go.org/releases/source/openssh-cygwin/) >>>> -nx-libx 3.5.0.22 linked against the latest cygwin (I have been >>>> providing 3.5.0.22 linked against the older cygwin) >>>> -VcXsrv 1.14.5 (see the email thread "Windows X2Go Client: Windows XP >>>> & VcXsrv security vulnerabilities" for more info.) >>>> -libpng 1.2.51 >>>> >>>> The main reason for these dependency updates/upgrades is that there >>>> are some security vulnerabilities in the current cygwin files, OpenSSH >>>> 6.1p1, and in VcXsrv 1.14.2.1. >>>> >>>> -Mike#2 >>> >>> >>> +1 from me! >> >> The build is out: >> https://lists.berlios.de/pipermail/x2go-user/2014-March/002121.html >> I would like either 1 or 2 more days of testing. Nobody has replied yet. >> >> Also, >> I confirmed that bug 421 (X2goclient on Windows: sshd.exe does not >> start.) is a bug. >> http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=421 >> >> However, I recommend that we do not delay the 4.0.2.0 release for a fix >> because: >> 1. It only affects Windows XP. >> 2. It was introduced in 4.0.1.2. However, 4.0.0.3 (the previous win32 >> build) had folder sharing broken for some other reason. (4.0.0.3 >> actually had folder sharing broken on newer Windows client OSs too.) >> 3. I do not know what the cause is or how long it will take to fix. >> >> -Mike#2 _______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
