-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Feb 14, 2015 at 12:43 PM, Mike DePaulo <[email protected]> wrote: > ... > https://docs.google.com/spreadsheets/d/1WeneRYO2TkXYOl5J0WozThsLkreF1DiuJAvKCj7xFjU/edit#gid > > > ... > > Also, note that by default, X2GO launches nxagent (the nx-libs X > server) with "-nolisten tcp". This is configurable in > /etc/x2go/x2goagent.options . This setting mitigates many of the > vulnerabilities by preventing nxagent from ever talking to X11 > clients not running on the X2Go Server. I will now be determining > which vulnerabilities it does mitigate.
Most CVEs are mitigated by "-nolisten TCP", or are N/A because the CVEs can only be exploited by local X11 clients (X11 applications) anyway. "-nolisten TCP" is especially important for mitigating CVE-2014-8091 because an X11 client need not be authenticated to exploit it. An exploit would result in nxagent (and thus your X2Go session) crashing. (In layman's terms, unless you kept "-nolisten TCP" set, someone on the network can crash every X2Go session running on an X2Go server.) 2 CVEs are not mitigated by "-nolisten TCP": 2014-0210 CVE-2014-0211 A malicious remote X Font Server can trigger these vulnerabilities, even when the X11 clients are running locally on the X2Go server. - -Mike#2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iF4EAREIAAYFAlTgn+8ACgkQIFy22CVQsitHFwD/X2v6kUmf1+vVGbG5gvYMAT7d YlZ5Ks62wwK6eSutNR0BAJAI7H83e8TBtIc3vs0OIZamn3tCfBwJ3WZsjwOWT7WC =eykp -----END PGP SIGNATURE----- _______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
