ROME, Italy, July 10th, 2007 - A bug in the procedure allowing the shadowing of NX sessions causes the agent to default to the host-based authentication, making it possible for other users successfully logged on to the NX system to get access to the remote display. This bug affects NX Node versions 3.0.0-70 and 3.0.0-71, but not NX Node version 3.0.0-76. Although exploitation of this bug requires a valid account on the server machine, if you are using any version of NX Node released prior to version 3.0.0-76, you are strongly advised to upgrade.
nx please advise and patch as necessary.
Sorry for the delay, I was on holiday! Affected versions are net-misc/nxnode-3.0.0 (removed some weeks ago from portage), and current net-misc/nxnode-3.0.0-r1, both marked ~arch I will bump nxnode (and remove the vulnerable -r1 ebuild) ASAP Other NX servers (include 2.1 free edition) are not vulnerable, as they do not provide the session shadow capability
ok, nxnode-3.0.0-r2 is in CVS, and -r1 (last affected version in portage) was removed
Thanks Bernard. Not sure if we have to call x86 for stabling though, because 2.1.0 is already stable and not affected while 3.x was in unstable. I don't see anything in our policy for this case, but I'd say no because stable users don't have to bump as they're not affected. Security, any opinions on this?
If it was never stable policy says noglsa.