group.of.nepali.translators team mailing list archive

[Timo Aaltonen <tjaalton@xxxxxxxxxx>]

Hello Mihai, or anyone else affected,

Accepted x2goclient into eoan-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/x2goclient/4.1.2.1-2ubuntu0.19.10.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-eoan to verification-done-eoan. If it does not fix
the bug for you, please add a comment stating that, and change the tag
to verification-failed-eoan. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: x2goclient (Ubuntu Disco)
       Status: Confirmed => Invalid

** Changed in: x2goclient (Ubuntu Eoan)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-eoan

** Changed in: x2goclient (Ubuntu Bionic)
       Status: In Progress => Fix Committed

** Tags added: verification-needed-bionic

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1856795

Title:
  [SRU] X2Go Client broken by libssh CVE-2019-14889 fix

Status in libssh package in Ubuntu:
  Invalid
Status in x2goclient package in Ubuntu:
  Fix Released
Status in libssh source package in Xenial:
  Invalid
Status in x2goclient source package in Xenial:
  Fix Committed
Status in libssh source package in Bionic:
  Invalid
Status in x2goclient source package in Bionic:
  Fix Committed
Status in libssh source package in Disco:
  Invalid
Status in x2goclient source package in Disco:
  Invalid
Status in libssh source package in Eoan:
  Invalid
Status in x2goclient source package in Eoan:
  Fix Committed
Status in x2goclient package in Debian:
  Fix Released

Bug description:
  [Test case]
  Connect to a x2go server on a session that has file sharing or audo-forwarding enabled -> Error message "SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory" needs to be clicked away with "ok".

  [Regression potential]
  Very low as the patch removes "~<user>" from the ssh string which is the same as just using no path spec (":") as the default is the home dir of the logged in remote user.

  --------------------------------------------------------------------------

  The recent CVE fix broke SCP support in libssh, which X2Go Client
  (x2goclient) relies on.

  Sessions now fail with error messages such as "SCP: Warning: status
  code 1 received: scp: ~username/.x2go/ssh: No such file or
  directory\n". (Also note the literal "\n" there, but I guess we don't
  really need to care about that.)

  The previous version worked fine and rolling the libssh4 package back
  fixes this issue, but also leaves users vulnerable to the fixed
  security issue in its scp implementation.

  I've been looking at the debdiff, but spotting the actual changes is
  very difficult due to the reformatting that was done at the same time.
  This degraded the patch(es) into one big blob.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions