Site Navigation:
security x2goserver-4.0.1.10-1.el6 security update
Status:stable
Release: Fedora EPEL 6
Update ID: FEDORA-EPEL-2014-0026
Builds: x2goserver-4.0.1.10-1.el6 (logs)
Pushed: True
Date Submitted: 2014-01-03 20:18:39
Date Released: 2014-01-03 21:38:28
Submitter: orion
Karma: 0
Stable karma: 2
Unstable karma: -3
Details

This release pulls in all changes that got introduced in the Baikal LTS release 4.0.0.8, including a severe vulnerability in x2gocleansessions. Gains of the LTS version 4.0.0.8 of x2goserver are:

o Improve parsing of the NX session.log file. Fix session suspending/resuming when in fails in some occasions. o Fix severe vulnerability in x2gocleansessions. o Sanitize session ID string, port numbers, display numbers and agent PID numbers before writing them as strings to the session DB.

Please note::: This release fixes a severe vulnerability in X2Go Server that allowed an attacker with user permissions to gain root access tothe X2Go Server machine. Everyone, please upgrade your X2Go Server installations.

New gains of the version 4.0.1.10 of x2goserver are:

o Fix x2goresume-session that we broke in 4.0.1.9. o Ship x2goserver-fmbindings o Allow enabling/disabling of TCP listening of x2goagent.

  • Disable Xsession support for now - Debian specific (Bug #1038834)

Update to 4.0.1.9 - incorporate changes from 4.0.0.7 LTS bugfix release.

  • Drop incorrect keyboard patch- Use mktemp instead of tempfile
  • Fix Xsession.d link creation
  • Add patch to fix keyboard setting (bug #1033876)

Update to 4.0.1.8:

  • Fix resizing when resuming sessions.
  • Fix automatic keyboard setup (via x2gosetkeyboard) while resuming a session. (Fixes: #285).
  • Provide sudoers.d/x2goserver file that allows sudoed commands under KDE (by pertaining the env var QT_GRAPHICSSYSTEM. (Fixes: #276).
  • With PostgreSQL as session db backend, prevent the root user from launching sessions. Also, prevent x2gouser_root from being added as a PostgreSQL user. (Fixes: #310).
  • Execute DB status changes as late as possible during suspend / terminate.
  • Start/resume rootless sessions without geometry parameter. Esp. using X2GO_GEOMETRY=fullscreen for rootless sessions lead to an extra 1x1 px session window (nxagentCreateIconWindow in nxagent's Window.c).
  • Typo fix in x2goruncommand (for MATE session startup).
  • Make umask that is used when mounting client-side folders via SSHFS configurable in x2goserver.conf. (Fixes: #331).
  • Use bash-builtin 'type' instead of to be avoided 'which'. (Fixes: #305).
  • Disable Xsession support for now - Debian specific (Bug #1038834)

Update to 4.0.1.9 - incorporate changes from 4.0.0.7 LTS bugfix release.

  • Drop incorrect keyboard patch
  • Use mktemp instead of tempfile
  • Fix Xsession.d link creation
  • Add patch to fix keyboard setting (bug #1033876)

Update to 4.0.1.8:

  • Fix resizing when resuming sessions.
  • Fix automatic keyboard setup (via x2gosetkeyboard) while resuming a session. (Fixes: #285).
  • Provide sudoers.d/x2goserver file that allows sudoed commands under KDE (by pertaining the env var QT_GRAPHICSSYSTEM. (Fixes: #276).
  • With PostgreSQL as session db backend, prevent the root user from launching sessions. Also, prevent x2gouser_root from being added as a PostgreSQL user. (Fixes: #310).
  • Execute DB status changes as late as possible during suspend / terminate.
  • Start/resume rootless sessions without geometry parameter. Esp. using X2GO_GEOMETRY=fullscreen for rootless sessions lead to an extra 1x1 px session window (nxagentCreateIconWindow in nxagent's Window.c).
  • Typo fix in x2goruncommand (for MATE session startup).
  • Make umask that is used when mounting client-side folders via SSHFS configurable in x2goserver.conf. (Fixes: #331).
  • Use bash-builtin 'type' instead of to be avoided 'which'. (Fixes: #305).
Bugs Fixed
1038834 - /etc/x2go/Xsession script broken
Feedback
bodhi - 2014-01-03 20:18:46
This update has been submitted for testing by orion.
bodhi - 2014-01-03 20:31:35
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2014-01-03 21:33:05
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2014-01-03 22:43:39
This update has been pushed to testing
bodhi - 2014-01-18 03:38:26
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2014-01-18 17:32:21
This update has been submitted for stable by orion.
bodhi - 2014-01-18 18:28:24
This update is currently being pushed to the Fedora EPEL 6 stable updates repository.
bodhi - 2014-01-18 20:36:06
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters