[X2Go-Announcement] X2Go Server (4.0.0.8 / Baikal LTS) released
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Fri Jan 3 20:32:31 CET 2014
Dear all,
the X2Go project is proud to announce a new LTS release of the X2Go
component ,,x2goserver''.
Please note::: This release fixes a severe vulnerability in X2Go Server
that allowed an attacker with user permissions in previous versions of
X2Go Server to gain root access to the X2Go Server machine. We highly
recommend everyone to upgrade their X2Go Server installations.
New gains of this LTS version of ,,x2goserver'' are:
o Improve parsing of the NX session.log file. Fix session
suspending/resuming when in fails in some occasions.
o Fix severe vulnerability in x2gocleansessions.
o Sanitize session ID string, port numbers, display numbers
and agent PID numbers before writing them as strings to the
session DB.
X2Go Component: x2goserver
Version: 4.0.0.8
Status: RELEASE
Date: Fri, 03 Jan 2014 11:30:54 +0100
Fixes these bug report(s): 347 356
Changes:
x2goserver (4.0.0.8) RELEASED; urgency=low
.
* New upstream version (4.0.0.8):
- Use mktemp instead of tempfile (because Fedora does not have
the tempfile
binary). (Fixes: #347).
- Replace makepasswd by pwgen (because Fedora does not have makepasswd).
- Improve parsing of the NX session.log file where unexpected
extra logging
takes place during session suspension/resumption. Thanks to
Gerald Richter
for finding this!!! (Fixes: #356).
- Avoid one argument system calls and backticks in x2gocleansessions and
x2golistsessions_root.
- Avoid one argument system calls and backticks in x2golistsessions.
- Avoid one argument system calls and backticks in x2goprint.
- Avoid backticks in x2goshowblocks, move script to
<prefix>/sbin/ as it is
for being run with root privileges.
- Sanitize session ID string, port numbers, display numbers and
agent PID
numbers before writing them as strings to the session DB.
Regards,
Mike Gabriel
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-announcements/attachments/20140103/de3a27a8/attachment.pgp>
More information about the x2go-announcements
mailing list