Detections
Analytics

Fedora 20 : x2goserver-4.0.1.10-1.fc20 (2014-0202)

high Nessus Plugin ID 71922

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

This release pulls in all changes that got introduced in the Baikal LTS release 4.0.0.8, including a severe vulnerability in x2gocleansessions. Gains of the LTS version 4.0.0.8 of x2goserver are :

o Improve parsing of the NX session.log file. Fix session suspending/resuming when in fails in some occasions. o Fix severe vulnerability in x2gocleansessions. o Sanitize session ID string, port numbers, display numbers and agent PID numbers before writing them as strings to the session DB.

Please note::: This release fixes a severe vulnerability in X2Go Server that allowed an attacker with user permissions to gain root access tothe X2Go Server machine. Everyone, please upgrade your X2Go Server installations.

New gains of the version 4.0.1.10 of x2goserver are :

o Fix x2goresume-session that we broke in 4.0.1.9. o Ship x2goserver-fmbindings o Allow enabling/disabling of TCP listening of x2goagent.

 - Disable Xsession support for now - Debian specific (Bug #1038834)

Update to 4.0.1.9 - incorporate changes from 4.0.0.7 LTS bugfix release.

 - Drop incorrect keyboard patch- Use mktemp instead of tempfile

 - Fix Xsession.d link creation

 - Add patch to fix keyboard setting (bug #1033876)

Update to 4.0.1.8 :

 - Fix resizing when resuming sessions.

 - Fix automatic keyboard setup (via x2gosetkeyboard) while resuming a session. (Fixes: #285).

 - Provide sudoers.d/x2goserver file that allows sudoed commands under KDE (by pertaining the env var QT_GRAPHICSSYSTEM. (Fixes: #276).

 - With PostgreSQL as session db backend, prevent the root user from launching sessions. Also, prevent x2gouser_root from being added as a PostgreSQL user.
 (Fixes: #310).

 - Execute DB status changes as late as possible during suspend / terminate.

 - Start/resume rootless sessions without geometry parameter. Esp. using X2GO_GEOMETRY=fullscreen for rootless sessions lead to an extra 1x1 px session window (nxagentCreateIconWindow in nxagent's Window.c).

 - Typo fix in x2goruncommand (for MATE session startup).

 - Make umask that is used when mounting client-side folders via SSHFS configurable in x2goserver.conf.
 (Fixes: #331).

 - Use bash-builtin 'type' instead of to be avoided 'which'. (Fixes: #305).

 - Disable Xsession support for now - Debian specific (Bug #1038834)

Update to 4.0.1.9 - incorporate changes from 4.0.0.7 LTS bugfix release.

 - Drop incorrect keyboard patch

 - Use mktemp instead of tempfile

 - Fix Xsession.d link creation

 - Add patch to fix keyboard setting (bug #1033876)

Update to 4.0.1.8 :

 - Fix resizing when resuming sessions.

 - Fix automatic keyboard setup (via x2gosetkeyboard) while resuming a session. (Fixes: #285).

 - Provide sudoers.d/x2goserver file that allows sudoed commands under KDE (by pertaining the env var QT_GRAPHICSSYSTEM. (Fixes: #276).

 - With PostgreSQL as session db backend, prevent the root user from launching sessions. Also, prevent x2gouser_root from being added as a PostgreSQL user.
 (Fixes: #310).

 - Execute DB status changes as late as possible during suspend / terminate.

 - Start/resume rootless sessions without geometry parameter. Esp. using X2GO_GEOMETRY=fullscreen for rootless sessions lead to an extra 1x1 px session window (nxagentCreateIconWindow in nxagent's Window.c).

 - Typo fix in x2goruncommand (for MATE session startup).

 - Make umask that is used when mounting client-side folders via SSHFS configurable in x2goserver.conf.
 (Fixes: #331).

 - Use bash-builtin 'type' instead of to be avoided 'which'. (Fixes: #305).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected x2goserver package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1038834

http://www.nessus.org/u?3a1b7152

Plugin Details

Severity: High

ID: 71922

File Name: fedora_2014-0202.nasl

Version: 1.5

Type: local

Agent: unix

Published: 1/13/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:x2goserver, cpe:/o:fedoraproject:fedora:20

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 1/4/2014

Vulnerability Publication Date: 1/4/2014

Reference Information

FEDORA: 2014-0202