"The nxconfigure.sh script can allow the execution of arbitrary commands on the system The nxconfigure.sh script, a SUIDed script used by NX Server Manager to update the server configuration, could be executed by any user to execute arbitrary commands on the system. A possible workaround, until the new node and server packages fixing this issue are available, is to remove the nxconfigure.sh script and replace it with a fake file: # rm /usr/NX/scripts/restricted/nxconfigure.sh # touch /usr/NX/scripts/restricted/nxconfigure.sh Please note that by applying this workaround, you will be no longer able to configure the server via NX Server Manager interface until you upgrade your NX server installation to the new package." net-misc/nxnode-3.5.0.4 and net-misc/nxserver-freeedition-3.5.0.5 are in tree now, and is only a security bugfix over current 3.5 versions (in tree for more than 2 months, without new open bugs). Stable candidates are (target keywordsamd64 and x86): * =net-misc/nxclient-3.5.0.7 (needed for 3.5 server) * =net-misc/nxnode-.3.5.0.4 * =net-misc/nxserver-freeedition-3.5.0.5 Other NX servers in tree do not use this system, so are not affected
Thanks for the great detail, Bernard. Arches, please test and mark stable: =net-misc/nxclient-3.5.0.7 Target keywords : "amd64 x86" =net-misc/nxnode-3.5.0.4 Target keywords : "amd64 x86" =net-misc/nxserver-freeedition-3.5.0.5 Target keywords : "amd64 x86"
x86 stable
Take a look at bug 379959 that can't block this stabilization. amd64 ok
all emerges and works
amd64 done. Thanks Agostino and Ian
Thanks, folks. GLSA request filed.
Vulnerable versions removed from tree (thanks ago for the reminder in bug #384097)
This issue was resolved and addressed in GLSA 201201-07 at http://security.gentoo.org/glsa/glsa-201201-07.xml by GLSA coordinator Sean Amoss (ackle).