[SECURITY] Fedora 20 Update: x2goserver-4.0.1.10-1.fc20
updates at fedoraproject.org
updates at fedoraproject.org
Mon Jan 13 02:55:56 UTC 2014
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-0202
2014-01-04 18:59:54
--------------------------------------------------------------------------------
Name : x2goserver
Product : Fedora 20
Version : 4.0.1.10
Release : 1.fc20
URL : http://www.x2go.org
Summary : X2Go Server
Description :
X2Go is a server based computing environment with
- session resuming
- low bandwidth support
- session brokerage support
- client side mass storage mounting support
- audio support
- authentication by smartcard and USB stick
This package contains the main daemon and tools for X2Go server-side session
administrations.
--------------------------------------------------------------------------------
Update Information:
This release pulls in all changes that got introduced in the Baikal LTS release 4.0.0.8, including a severe vulnerability in
x2gocleansessions. Gains of the LTS version 4.0.0.8 of x2goserver are:
o Improve parsing of the NX session.log file. Fix session
suspending/resuming when in fails in some occasions.
o Fix severe vulnerability in x2gocleansessions.
o Sanitize session ID string, port numbers, display numbers
and agent PID numbers before writing them as strings to the
session DB.
Please note::: This release fixes a severe vulnerability in X2Go Server that allowed an attacker with user permissions to gain root access tothe X2Go Server machine. Everyone, please upgrade your X2Go Server installations.
New gains of the version 4.0.1.10 of x2goserver are:
o Fix x2goresume-session that we broke in 4.0.1.9.
o Ship x2goserver-fmbindings
o Allow enabling/disabling of TCP listening of x2goagent.
- Disable Xsession support for now - Debian specific (Bug #1038834)
Update to 4.0.1.9 - incorporate changes from 4.0.0.7 LTS bugfix release.
- Drop incorrect keyboard patch- Use mktemp instead of tempfile
- Fix Xsession.d link creation
- Add patch to fix keyboard setting (bug #1033876)
Update to 4.0.1.8:
- Fix resizing when resuming sessions.
- Fix automatic keyboard setup (via x2gosetkeyboard) while resuming a session. (Fixes: #285).
- Provide sudoers.d/x2goserver file that allows sudoed commands under KDE (by pertaining the env var QT_GRAPHICSSYSTEM. (Fixes: #276).
- With PostgreSQL as session db backend, prevent the root user from launching sessions. Also, prevent x2gouser_root from being added as a PostgreSQL user. (Fixes: #310).
- Execute DB status changes as late as possible during suspend / terminate.
- Start/resume rootless sessions without geometry parameter. Esp. using X2GO_GEOMETRY=fullscreen for rootless sessions lead to an extra 1x1 px session window (nxagentCreateIconWindow in nxagent's Window.c).
- Typo fix in x2goruncommand (for MATE session startup).
- Make umask that is used when mounting client-side folders via SSHFS configurable in x2goserver.conf. (Fixes: #331).
- Use bash-builtin 'type' instead of to be avoided 'which'. (Fixes: #305).
- Disable Xsession support for now - Debian specific (Bug #1038834)
Update to 4.0.1.9 - incorporate changes from 4.0.0.7 LTS bugfix release.
- Drop incorrect keyboard patch
- Use mktemp instead of tempfile
- Fix Xsession.d link creation
- Add patch to fix keyboard setting (bug #1033876)
Update to 4.0.1.8:
- Fix resizing when resuming sessions.
- Fix automatic keyboard setup (via x2gosetkeyboard) while resuming a session. (Fixes: #285).
- Provide sudoers.d/x2goserver file that allows sudoed commands under KDE (by pertaining the env var QT_GRAPHICSSYSTEM. (Fixes: #276).
- With PostgreSQL as session db backend, prevent the root user from launching sessions. Also, prevent x2gouser_root from being added as a PostgreSQL user. (Fixes: #310).
- Execute DB status changes as late as possible during suspend / terminate.
- Start/resume rootless sessions without geometry parameter. Esp. using X2GO_GEOMETRY=fullscreen for rootless sessions lead to an extra 1x1 px session window (nxagentCreateIconWindow in nxagent's Window.c).
- Typo fix in x2goruncommand (for MATE session startup).
- Make umask that is used when mounting client-side folders via SSHFS configurable in x2goserver.conf. (Fixes: #331).
- Use bash-builtin 'type' instead of to be avoided 'which'. (Fixes: #305).
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 3 2014 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.10-1
- Update to 4.0.1.10
- Drop pwgen and mktemp patches applied upstream
* Sat Dec 7 2013 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.9-2
- Disable Xsession support for now - Debian specific (Bug #1038834)
* Mon Dec 2 2013 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.9-1
- Update to 4.0.1.9
- Drop incorrect keyboard patch
* Wed Nov 27 2013 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.8-2
- Use mktemp instead of tempfile
- BR xorg-x11-xinit for Xsession.d link creation
- Add patch to fix keyboard setting (bug #1033876)
* Sat Nov 23 2013 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.8-1
- Update to 4.0.1.8
- Fix x2gocleansessions init script for EL6 (bug #1031150)
* Tue Oct 22 2013 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.6-6
- Fix bug in x2gocleansessions init script, enable by default
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1038834 - /etc/x2go/Xsession script broken
https://bugzilla.redhat.com/show_bug.cgi?id=1038834
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update x2goserver' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list