X2Go - everywhere@home

User Tools

Site Tools

Trace:
doc:release-notes-mswin:x2goclient-4.0.2.0

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
doc:release-notes-mswin:x2goclient-4.0.2.0 [2014/04/24 00:50]
mikedep333 Clarify builds 		doc:release-notes-mswin:x2goclient-4.0.2.0 [2014/04/24 00:56]
mikedep333 [Windows-Specific Bug Fixes] typo
Line 80: Line 80:
  
 The following bugfixes are not mentioned in the regular release notes. (They are not mentioned in the regular release notes because they do not consist of fixes to X2GoClient's source code, only to the dependencies bundled.): The following bugfixes are not mentioned in the regular release notes. (They are not mentioned in the regular release notes because they do not consist of fixes to X2GoClient's source code, only to the dependencies bundled.):
-    *CVE-2014-0160 "Heartbleed" vulnerability (Note: X2Go Client was only affected by the heartbleed vulnerability when connecting to a an X2Go session broker over HTTPS. Even though X2Go Client uses libssh and cygwin's openssh, which both in turn use openssl, they were never affected because the SSH protocol does not contain the SSL heartbeat. For more info on why SSH implementations are not affected, read [[https://access.redhat.com/site/solutions/786603|Red hat's solution article.]]. The only difference between that solution article and X2Go Client is that the vulnerable library file is ssleay32.dll and the non-affected library files are both libeay32.dll and cygcrypto-1.0.0.dll .) +    *CVE-2014-0160 "Heartbleed" vulnerability (Note: X2Go Client was only affected by the heartbleed vulnerability when connecting to a an X2Go session broker over HTTPS. Even though X2Go Client uses libssh and cygwin's openssh, which both in turn use openssl, they were never affected because the SSH protocol does not contain the SSL heartbeat. For more info on why SSH implementations are not affected, read [[https://access.redhat.com/site/solutions/786603|Red hat's solution article]]. The only difference between that solution article and X2Go Client is that the vulnerable library file is ssleay32.dll and the non-affected library files are both libeay32.dll and cygcrypto-1.0.0.dll .) 
     *Compared to 4.0.1.3, bug #229 (support for https broker connections) was fixed. However, it was also fixed in 4.0.1.3+build2. This bugfix is being mentioned here because some users may not be aware of 4.0.1.3+build2. (Ironically, the fix was to add ssleay32.dll, which means that the heartbleed vulnerability was only ever present in 4.0.1.3+build2.)     *Compared to 4.0.1.3, bug #229 (support for https broker connections) was fixed. However, it was also fixed in 4.0.1.3+build2. This bugfix is being mentioned here because some users may not be aware of 4.0.1.3+build2. (Ironically, the fix was to add ssleay32.dll, which means that the heartbleed vulnerability was only ever present in 4.0.1.3+build2.)
     *The following security vulnerabilities in VcXsrv: CVE-2013-4396 (Oct. 8, 2013), CVE-2013-6462 (Jan. 7, 2014) (Note that we have not determined whether or not X2Go could actually trigger them. They are however now fixed in the VcXsrv code.)     *The following security vulnerabilities in VcXsrv: CVE-2013-4396 (Oct. 8, 2013), CVE-2013-6462 (Jan. 7, 2014) (Note that we have not determined whether or not X2Go could actually trigger them. They are however now fixed in the VcXsrv code.)
doc/release-notes-mswin/x2goclient-4.0.2.0.txt ยท Last modified: 2014/06/08 01:49 by mikedep333

Page Tools

Imprint & Legal Disclaimer - Data Protection & Privacy Statement
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki