210317 2008-02-16 01:57 0000 net-misc/nxnode, net-misc/nx Xorg security fixes included 2008-04-06 13:33:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.nomachine.com/news-read.php?idnews=230 B2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org nx@gentoo.org rbu@gentoo.org 2008-02-16 01:57:30 0000 "NoMachine makes available today the second maintenance release of NX Node 3.1.0. The new packages include minor bug fixes to the NX software and, namely, some security fixes affecting the X11 code-base." Seems to be xorg bug 204362. rbu@gentoo.org 2008-02-16 01:58:53 0000 NX herd, please bump -- or do we have all the necessary code in the tree already? The last ebuild commit is dated before the press release. If so, is it ready for stabling? voyageur@gentoo.org 2008-02-17 22:42:16 0000 This is indeed bug #204362: "Four of the vulnerabilities affect NX Node 3.1.0-5, namely: XInput Extension Memory Corruption Vulnerability [IDEF2888 CVE-2007-6427]. TOG-CUP Extension Memory Corruption Vulnerability [IDEF2901 CVE-2007-6428]. EVI Extension Integer Overflow Vulnerability [IDEF2902 CVE-2007-6429]. MIT-SHM Extension Integer Overflow Vulnerability [IDEF2904 CVE-2007-6429]" Both nxnode and nx packages need to be bumped, I'm adding new versions. Stabling packages should also involve net-misc/nxclient-3.1.0 and net-misc/nxserver-freeedition-3.1.0, to go along with new nxnode-3.1.0. I'll sum up what needs to be stabled as soon as I have the packages in the tree voyageur@gentoo.org 2008-02-17 23:12:55 0000 Ok, new packages with security fixes included: net-misc/nxnode-3.1.0-r2 net-misc/nx-3.1.0-r1 Current stable versions are also based on Xorg, so security stabling is needed Need amd64 and x86 stable keywords: net-misc/nxnode-3.1.0-r2 net-misc/nxclient-3.1.0 (ready for stable, to go along with nxnode-3.1) net-misc/nxserver-freeedition-3.1.0 (same) x86 stable keyword: net-misc/nx-3.1.0-r1 net-misc/nxserver-freenx-0.7.1-r2 (ready for stable, has patches with better 3.1 nx detection) I was about to finally ask amd64 stabling on freenx, I guess it will have to wait a bit more... rbu@gentoo.org 2008-02-18 04:07:05 0000 Thanks for the fast update, arches please stable as mentioned in the above comment. fauli@gentoo.org 2008-02-18 17:57:22 0000 x86 stable pva@gentoo.org 2008-03-06 08:43:51 0000 I'm working on stabilization of this stuff. But I've never used it so this'll take some time. Hopefully today or tomorrow, I'll stabilize it. pva@gentoo.org 2008-03-06 19:59:18 0000 Well while I'm progressing in getting this stuff working I see the following problem with nxnode ebuild. It does: chown nx:root "${ROOT}"/usr/NX/etc/node.lic while it does not create nx user. Also for consistency it's better to use chown nx:0 ... see bug 103563. voyageur@gentoo.org 2008-03-10 00:58:16 0000 Thanks, the nx user is now created in nxnode (this worked before because the NX install script fixed the ownership in nxserver ebuild), and it's now nx:0. Should be fine (nxnode-3.1.0-r2) pva@gentoo.org 2008-03-19 11:17:02 0000 amd64 stable. After IRC discussion with voyageur I've stabilized -r1 for nxnode and nserver-freeedition. Fixed in release snapshot. rbu@gentoo.org 2008-03-21 02:19:06 0000 request filed rbu@gentoo.org 2008-04-06 13:33:02 0000 GLSA 200804-05