Description: Two security issues have been reported in NX Server, which can be exploited by malicious, local users to bypass certain security restrictions. 1) An error in the way the authority file is handled can allow access to the display of another user running a NX session on the system. 2) An error when reading the authority file can be exploited to interrupt the server by a signal, which can result in the server enabling local host access. Solution: Update to version 1.4.0-107. http://www.nomachine.com/download.php
One more for superStuart -- the package is still (or already) masked.
Stuart, any news on this one?
This upgrade is now done. Actually, it's been done for a month or so; but I missed it because it wasn't assigned to the nx herd. nxserver-*-1.4.0 hasn't come out of package.mask yet, so it's up to you whether a GLSA should be issued or not.
Security please vote on GLSA release. I tend to vote YES. Stuart, you don't have to keep it masked until GLSA status is resolved.
x86: please test and mark nxserver-business-1.4.0 stable
Stuart, I guess you can mark it.. I'm not even sure how to test this..
Stuart any news on this one?
Ready for GLSA vote
I tend to say NO, as this has been fixed a long time ago, and I don't see an easy way to exploit this.
Voting NO as well -> closing.
