Comment 1 Robert Buchholz (RETIRED) 2008-02-16 01:58:53 UTC

NX herd, please bump -- or do we have all the necessary code in the tree already? The last ebuild commit is dated before the press release. If so, is it ready for stabling?

Comment 2 Bernard Cafarelli 2008-02-17 22:42:16 UTC

This is indeed bug #204362:
"Four of the vulnerabilities affect NX Node 3.1.0-5, namely:

XInput Extension Memory Corruption Vulnerability [IDEF2888 CVE-2007-6427].
TOG-CUP Extension Memory Corruption Vulnerability [IDEF2901 CVE-2007-6428].
EVI Extension Integer Overflow Vulnerability [IDEF2902 CVE-2007-6429].
MIT-SHM Extension Integer Overflow Vulnerability [IDEF2904 CVE-2007-6429]"

Both nxnode and nx packages need to be bumped, I'm adding new versions. 
Stabling packages should also involve net-misc/nxclient-3.1.0 and net-misc/nxserver-freeedition-3.1.0, to go along with new nxnode-3.1.0.

I'll sum up what needs to be stabled as soon as I have the packages in the tree

Comment 3 Bernard Cafarelli 2008-02-17 23:12:55 UTC

Ok, new packages with security fixes included:
net-misc/nxnode-3.1.0-r2
net-misc/nx-3.1.0-r1
Current stable versions are also based on Xorg, so security stabling is needed


Need amd64 and x86 stable keywords:
net-misc/nxnode-3.1.0-r2
net-misc/nxclient-3.1.0 (ready for stable, to go along with nxnode-3.1)
net-misc/nxserver-freeedition-3.1.0 (same)

x86 stable keyword:
net-misc/nx-3.1.0-r1
net-misc/nxserver-freenx-0.7.1-r2 (ready for stable, has patches with better 3.1 nx detection)

I was about to finally ask amd64 stabling on freenx, I guess it will have to wait a bit more...

Comment 4 Robert Buchholz (RETIRED) 2008-02-18 04:07:05 UTC

Thanks for the fast update, arches please stable as mentioned in the above comment.

Comment 5 Christian Faulhammer (RETIRED) 2008-02-18 17:57:22 UTC

x86 stable

Comment 6 Peter Volkov (RETIRED) 2008-03-06 08:43:51 UTC

I'm working on stabilization of this stuff. But I've never used it so this'll take some time. Hopefully today or tomorrow, I'll stabilize it.

Comment 7 Peter Volkov (RETIRED) 2008-03-06 19:59:18 UTC

Well while I'm progressing in getting this stuff working I see the following problem with nxnode ebuild. It does:

  chown nx:root "${ROOT}"/usr/NX/etc/node.lic

while it does not create nx user. Also for consistency it's better to use chown nx:0 ... see bug 103563.

Comment 8 Bernard Cafarelli 2008-03-10 00:58:16 UTC

Thanks, the nx user is now created in nxnode (this worked before because the NX install script fixed the ownership in nxserver ebuild), and it's now nx:0. Should be fine (nxnode-3.1.0-r2)

Comment 9 Peter Volkov (RETIRED) 2008-03-19 11:17:02 UTC

amd64 stable. After IRC discussion with voyageur I've stabilized -r1 for nxnode and nserver-freeedition.

Fixed in release snapshot.

Comment 10 Robert Buchholz (RETIRED) 2008-03-21 02:19:06 UTC

request filed

Comment 11 Robert Buchholz (RETIRED) 2008-04-06 13:33:02 UTC

GLSA 200804-05