I think, this issue needs to be re-assigned and someone needs to provide updates for x2goclient in all supported Ubuntu releases that have received the fix for CVE-2019-14889.
This patch needs to be applied on top of X2Go Client: https://code.x2go.org/gitweb?p=x2goclient.git;a=patch;h=ce559d163a943737fe4160f7233925df2eee1f9a For Debian, I am currently on this... ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14889 ** Bug watch added: Debian Bug tracker #947129 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libssh in Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 Status in libssh package in Ubuntu: Confirmed Bug description: The recent CVE fix broke SCP support in libssh, which X2Go Client (x2goclient) relies on. Sessions now fail with error messages such as "SCP: Warning: status code 1 received: scp: ~username/.x2go/ssh: No such file or directory\n". (Also note the literal "\n" there, but I guess we don't really need to care about that.) The previous version worked fine and rolling the libssh4 package back fixes this issue, but also leaves users vulnerable to the fixed security issue in its scp implementation. I've been looking at the debdiff, but spotting the actual changes is very difficult due to the reformatting that was done at the same time. This degraded the patch(es) into one big blob. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
