Updated x2goserver package fixes security vulnerability
Publication date: 01 Mar 2014Modification date: 01 Mar 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4376
Description
A vulnerability in x2goserver before 4.0.0.2 in the setgid wrapper
x2gosqlitewrapper.c, which does not hardcode an internal path to
x2gosqlitewrapper.pl, allowing a remote attacker to change that path.
A remote attacker may be able to execute arbitrary code with the
privileges of the user running the server process (CVE-2013-4376).
A vulnerability in x2goserver before 4.0.0.8 in x2gocleansessions has
also been fixed.
References
- https://bugs.mageia.org/show_bug.cgi?id=11557
- https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html
- http://www.gentoo.org/security/en/glsa/glsa-201310-19.xml
- https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126414.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4376
SRPMS
3/core
- x2goserver-4.0.1.13-1.mga3