User Tools

Site Tools


doc:release-notes-mswin:x2goclient-4.0.2.0

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
doc:release-notes-mswin:x2goclient-4.0.2.0 [2014/04/24 00:36]
mikedep333
doc:release-notes-mswin:x2goclient-4.0.2.0 [2014/06/08 01:47]
mikedep333 [Security Update: 4.0.2.0+build4] typo
Line 1: Line 1:
 ====== Windows-Specific Release notes for X2Go Client 4.0.2.0 ====== ====== Windows-Specific Release notes for X2Go Client 4.0.2.0 ======
 +
 +===== Security Update: 4.0.2.0+build4 =====
 +
 +On 2014-06-08, 4.0.2.0+build4 was released with the following changes:
 +
 +  *Cygwin OpenSSL was updated from 1.0.1g-1 to 1.0.1h-1. This fixes the 6 security vulnerabilities in the OpenSSL Security Advisory [05 Jun 2014]: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298 & CVE-2014-3470
 +
 +All users of 4.0.2.0 are strongly encouraged to update to 4.0.2.0+build4. This includes users of the "misc" fonts and "full" fonts builds.
 +
 +===== Security Update: 4.0.2.0+build3 =====
 +
 +On 2014-06-08, 4.0.2.0+build3 was released with the following changes:
 +
 +  *Win32 OpenSSL was updated from 1.0.1g to 1.0.1h. This fixes the 6 security vulnerabilities in the OpenSSL Security Advisory [05 Jun 2014]: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298 & CVE-2014-3470
 +
 +All users of 4.0.2.0 are strongly encouraged to update to 4.0.2.0+build3. This includes users of the "misc" fonts and "full" fonts builds.
 +
 +===== Security Update: 4.0.2.0+build2 =====
 +
 +On 2014-05-27, 4.0.2.0+build2 was released with the following changes:
 +
 +  * VcXsrv was updated from 1.4.3.1 to 1.4.3.2. The difference is that VcXsrv 1.14.3.2 has backported fixes for X.Org vulnerabilities CVE-2014-0209, CVE-2014-0210, and CVE-2014-0211. (All are from May 13, 2014) (Note that we have not determined whether or not X2Go could actually trigger them. They are however now fixed in the VcXsrv code.)
 +
 +All users of 4.0.2.0 are strongly encouraged to update to 4.0.2.0+build2. This includes users of the "misc" fonts and "full" fonts builds.
 +
 ===== Major Windows-specific changes since 4.0.1.3+build2 ===== ===== Major Windows-specific changes since 4.0.1.3+build2 =====
  
Line 7: Line 32:
 However, recent versions of VcXsrv have dropped compatibility with Windows XP. However, recent versions of VcXsrv have dropped compatibility with Windows XP.
  
-In order to maintain XP compatibility, the X2Go project has rebuilt VcXsrv 1.14.3 with MSVC 2012's v110_xp toolset instead of the v110 toolset. Fixes for the VcXsrv vulnerabilities since 1.14.3 (CVE-2013-4396 & CVE-2013-6462) were backported. We have numbered this version of VcXsrv as "1.14.3.1".+In order to maintain XP compatibility, the X2Go project has rebuilt VcXsrv 1.14.3 with MSVC 2012's v110_xp toolset instead of the v110 toolset. Fixes for the VcXsrv vulnerabilities since 1.14.3 (CVE-2013-4396 & CVE-2013-6462) were backported. We have numbered this version of VcXsrv as "1.14.3.1"(Now updated to "1.14.3.2".)
  
 For the time being, the source code to this version of VcXsrv is available here: For the time being, the source code to this version of VcXsrv is available here:
Line 30: Line 55:
  
 ===== Available Builds ===== ===== Available Builds =====
 +
 +All builds with version "4.0.2.0+build4" in their filename are current.
 +
 +==== Current Builds ====
 +
 The regular build is available here: The regular build is available here:
-    *http://code.x2go.org/releases/binary-win32/x2goclient/releases/4.0.2.0/x2goclient-4.0.2.0-setup.exe +  * http://code.x2go.org/releases/binary-win32/x2goclient/releases/4.0.2.0+build4/x2goclient-4.0.2.0+build4-setup.exe 
-Until a new version of X2Go Client is released, this link on the home page is the aforementioned version & build: + 
-    *http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe +<note>Until a new version of X2Go Client is released, this link on the home page is the aforementioned version & build: 
-There is no longer an "interims" build with PulseAudio 0.9.6 because PulseAudio 1.1 has been upgraded to PulseAudio 5.0, and it includes a fix for X2Go Bug 363. If a regression is discovered in PulseAudio 5.0, an "interims" build with PulseAudio 0.9.6 will be released.+http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe</note> 
 + 
 +<note tip>There is no longer an "interims" build with PulseAudio 0.9.6 because PulseAudio 1.1 has been upgraded to PulseAudio 5.0, and it includes a fix for X2Go Bug 363. If a regression is discovered in PulseAudio 5.0, an "interims" build with PulseAudio 0.9.6 will be released.</note> 
 + 
 +The "misc" fonts build is available here. See the "Noteworthy Windows-Specific Bugs" below for more info. 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build4-miscfonts-setup.exe 
 + 
 +The "full" fonts build is available here. See the "Noteworthy Windows-Specific Bugs" below for more info. 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build4-fullfonts-setup.exe  
 + 
 +A debug build is available here. If you experience a bug and would like to assist with debugging it, this build is for you. It does not include any of the fonts. 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build4-debug-setup.exe 
 + 
 +==== Previous Builds ==== 
 +The regular build is available here: 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/releases/4.0.2.0+build3/x2goclient-4.0.2.0+build3-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/releases/4.0.2.0+build2/x2goclient-4.0.2.0+build2-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/releases/4.0.2.0/x2goclient-4.0.2.0-setup.exe 
 + 
 +<note tip>There is no longer an "interims" build with PulseAudio 0.9.6 because PulseAudio 1.1 has been upgraded to PulseAudio 5.0, and it includes a fix for X2Go Bug 363. If a regression is discovered in PulseAudio 5.0, an "interims" build with PulseAudio 0.9.6 will be released.</note> 
 + 
 +The "misc" fonts build is available here. See the "Noteworthy Windows-Specific Bugs" below for more info. 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build3-miscfonts-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build2-miscfonts-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0-miscfonts-setup.exe 
 + 
 +The "full" fonts build is available here. See the "Noteworthy Windows-Specific Bugs" below for more info. 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build3-miscfonts-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build2-fullfonts-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0-fullfonts-setup.exe  
 + 
 +A debug build is available here. If you experience a bug and would like to assist with debugging it, this build is for you. It does not include any of the fonts. 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build3-debug-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0+build2-debug-setup.exe 
 +  * http://code.x2go.org/releases/binary-win32/x2goclient/tmp/x2goclient-4.0.2.0-debug-setup.exe
  
 ===== Compatible Windows Versions ===== ===== Compatible Windows Versions =====
Line 69: Line 133:
  
 The following bugfixes are not mentioned in the regular release notes. (They are not mentioned in the regular release notes because they do not consist of fixes to X2GoClient's source code, only to the dependencies bundled.): The following bugfixes are not mentioned in the regular release notes. (They are not mentioned in the regular release notes because they do not consist of fixes to X2GoClient's source code, only to the dependencies bundled.):
-    *CVE-2014-0160 "Heartbleed" vulnerability (Note: X2Go Client was only affected by the heartbleed vulnerability when connecting to a an X2Go session broker over HTTPS. Even though X2Go Client uses libssh and cygwin's openssh, which both in turn use openssl, they were never affected because the SSH protocol does not contain the SSL heartbeat. For more info on why SSH implementations are not affected, read [[https://access.redhat.com/site/solutions/786603|Red hat's solution article.]]. The only difference between that solution article and X2Go Client is that the vulnerable library file is ssleay32.dll and the non-affected library files are both libeay32.dll and cygcrypto-1.0.0.dll .) +    *CVE-2014-0160 "Heartbleed" vulnerability (Note: X2Go Client was only affected by the heartbleed vulnerability when connecting to a an X2Go session broker over HTTPS. Even though X2Go Client uses libssh and cygwin's openssh, which both in turn use openssl, they were never affected because the SSH protocol does not contain the SSL heartbeat. For more info on why SSH implementations are not affected, read [[https://access.redhat.com/site/solutions/786603|Red hat's solution article]]. The only difference between that solution article and X2Go Client is that the vulnerable library file is ssleay32.dll and the non-affected library files are both libeay32.dll and cygcrypto-1.0.0.dll .) 
     *Compared to 4.0.1.3, bug #229 (support for https broker connections) was fixed. However, it was also fixed in 4.0.1.3+build2. This bugfix is being mentioned here because some users may not be aware of 4.0.1.3+build2. (Ironically, the fix was to add ssleay32.dll, which means that the heartbleed vulnerability was only ever present in 4.0.1.3+build2.)     *Compared to 4.0.1.3, bug #229 (support for https broker connections) was fixed. However, it was also fixed in 4.0.1.3+build2. This bugfix is being mentioned here because some users may not be aware of 4.0.1.3+build2. (Ironically, the fix was to add ssleay32.dll, which means that the heartbleed vulnerability was only ever present in 4.0.1.3+build2.)
     *The following security vulnerabilities in VcXsrv: CVE-2013-4396 (Oct. 8, 2013), CVE-2013-6462 (Jan. 7, 2014) (Note that we have not determined whether or not X2Go could actually trigger them. They are however now fixed in the VcXsrv code.)     *The following security vulnerabilities in VcXsrv: CVE-2013-4396 (Oct. 8, 2013), CVE-2013-6462 (Jan. 7, 2014) (Note that we have not determined whether or not X2Go could actually trigger them. They are however now fixed in the VcXsrv code.)
doc/release-notes-mswin/x2goclient-4.0.2.0.txt · Last modified: 2014/06/08 01:49 by mikedep333