On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo <[email protected]> wrote: > I am looking into fixing the recently announced X.org vulnerability > (CVE-2015-0255) in nx-libs. > http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ > > It looks like nx-libs is affected. > > It also looks like some distros (Fedora, Debian) have fixed it, while > others (RHEL 5, 6 and 7, Debian LTS) have not. > > It also looks like the X.org 1.16.x commits are easier to apply to > nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are > linked to on that advisory page. > > The X.org 1.16.x commits are here: > the branch: > http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch > the prereq: > http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4 > the fix itself: > http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b > > -Mike#2
Status Update: I managed to backport the prereq commit to nx-libs 3.6.x. http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d26b458d8bd6cf3c560 It was non-trivial to merge due to this refactoring commit from 2011: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=2c7c520cfe0df30f4bc3adba59d9c62582823bf8 _______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
