[X2Go-Announcement] X2Go Server (4.0.0.8 / Baikal LTS) released

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Fri Jan 3 20:32:31 CET 2014


Dear all,

the X2Go project is proud to announce a new LTS release of the X2Go
component ,,x2goserver''.

Please note::: This release fixes a severe vulnerability in X2Go Server
that allowed an attacker with user permissions in previous versions of
X2Go Server to gain root access to the X2Go Server machine. We highly
recommend everyone to upgrade their X2Go Server installations.

New gains of this LTS version of ,,x2goserver'' are:

    o Improve parsing of the NX session.log file. Fix session
      suspending/resuming when in fails in some occasions.
    o Fix severe vulnerability in x2gocleansessions.
    o Sanitize session ID string, port numbers, display numbers
      and agent PID numbers before writing them as strings to the
      session DB.


X2Go Component: x2goserver
Version: 4.0.0.8
Status: RELEASE
Date: Fri, 03 Jan 2014 11:30:54 +0100
Fixes these bug report(s): 347 356
Changes:
   x2goserver (4.0.0.8) RELEASED; urgency=low
   .
     * New upstream version (4.0.0.8):
       - Use mktemp instead of tempfile (because Fedora does not have  
the tempfile
         binary). (Fixes: #347).
       - Replace makepasswd by pwgen (because Fedora does not have makepasswd).
       - Improve parsing of the NX session.log file where unexpected  
extra logging
         takes place during session suspension/resumption. Thanks to  
Gerald Richter
         for finding this!!! (Fixes: #356).
       - Avoid one argument system calls and backticks in x2gocleansessions and
         x2golistsessions_root.
       - Avoid one argument system calls and backticks in x2golistsessions.
       - Avoid one argument system calls and backticks in x2goprint.
       - Avoid backticks in x2goshowblocks, move script to  
<prefix>/sbin/ as it is
         for being run with root privileges.
       - Sanitize session ID string, port numbers, display numbers and  
agent PID
         numbers before writing them as strings to the session DB.


Regards,
Mike Gabriel

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-announcements/attachments/20140103/de3a27a8/attachment.pgp>


More information about the x2go-announcements mailing list