Per upstream announcement (in URL), this version includes: Vulnerability fix. With previous version it was easily possible for an attacker to execute arbitrary code as uid x2gouser WARNING::: The above mentioned vulnerability fix demands that you upgrade all your X2Go Server installations to version 4.0.0.2. 4.0.0.2 is in tree now and works fine with ~arch x2goclient and net-misc/nx, but I have not tested it as much with stable versions. To be on the safe side, we should stable: * net-misc/nx-3.5.0.20 * net-misc/x2goclient-4.0.1.0 (to test the server) * net-misc/x2goserver-4.0.0.2 Target arches: amd64 and x86 Both nx and x2goclient versions have been in tree for some time now without new bugreports
With arches CC'ed it will be better sorry. Arches please test and mark stable: * net-misc/nx-3.5.0.20 * net-misc/x2goclient-4.0.1.0 (to test the server) * net-misc/x2goserver-4.0.0.2 (only recent package) Thanks!
amd64 stable
x86 stable
Thanks ago! Vulnerable versions removed from tree
GLSA request filed.
This issue was resolved and addressed in GLSA 201310-19 at http://security.gentoo.org/glsa/glsa-201310-19.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2013-4376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4376): The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server before 4.0.0.2 allows remote attackers to execute arbitrary code via unspecified vectors, relate to the path to libx2go-server-db-sqlite3-wrapper.pl.
