[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix

Hi Mike,

On Sat, Dec 21, 2019 at 05:47:25PM +0000, Mike Gabriel wrote:
> Hi again,
> 
> On  Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote:
> 
> > Hi again,
> > 
> > On  Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote:
> > 
> > > Hi all,
> > > 
> > > the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client:
> > > 
> > > ```
> > > Connection failed. Couldn't create remote file
> > > ~<user>/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received:
> > > scp: ~<user>/.x2go/ssh: No such file or directory"
> > > ```
> > > 
> > > The solution to this is a fix to be applied against X2Go Client (in
> > > jessie/stretch/buster/unstable):
> > > https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1
> > > 
> > > Thanks,
> > > Mike
> > 
> > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129
> > and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795
> > 
> > Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this,
> > please follow-up and provide regression fixes (i.e. a patched X2Go
> > Client, see LP:#1856795) to Ubuntu.
> > 
> > Thanks+Greets,
> > Mike
> 
> I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix
> for regression with CVE-2019-14889/libssh
> 
> Does that need a DLA?
> 
> If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA
> number?

In this case I would use a DLA-2038-2 regression update advisory, with
tracking the x2goclient source package and (important) not tracking
the CVE id. Its bit of an unsual case, but that is how it's then
usually handled. You can see DSA-4539-2 as re respective example.

So your entry would look like (data/DLA/list):

[$date] DLA-2038-2 x2goclient - regression update
        [jessie] - x2goclient $version

Regards,
Salvatore
Reply to: