[Thinlinc-announce] Security updates for ThinLinc available

Pierre Ossman ossman at cendio.se
Thu May 8 14:55:00 CEST 2014


Two security vulnerabilities have recently been discovered in ThinLinc.
All currently supported versions of ThinLinc are affected by these
issues and we recommend that everyone apply the linked updates.

The two issues are:

* A security vulnerability with the server side support for "Local
  Drive Redirection" has been discovered. Due to a race condition it is
  possible for a user with ThinLinc access to mount file systems
  outside their designated area. (bug 4972)

* The storage of the Web Administration Interface password has a
  weakness that allows anyone with access to the system to discover
  what the password is. (bug 4918)

To remedy these issues, please follow the following steps:

1. Download the packages that matches your platform and ThinLinc
   version from both of these URLs:

    http://www.cendio.com/downloads/updates/b4918/
    http://www.cendio.com/downloads/updates/b4972/

   Don't forget the tlmisc-libs packages for 3.3.0 and later.
   Also note that Solaris does not support local drives, so only the
   vsm package is available for that platform.

2. Update the relevant packages:

    sudo rpm -Fvh <packages>

   or

    sudo dpkg -i <packages>

   or

    sudo pkgrm CENDthinlincvsm
    sudo pkgadd -d CENDthinlincvsm-<version>-sparc all

3. Clear out the old Web Administration password:

    sudo /opt/thinlinc/bin/tl-config /tlwebadm/password=" "

4. Run tl-setup to set a new password and restart the services.

    sudo /opt/thinlinc/sbin/tl-setup

Regards
-- 
Pierre Ossman           Software Development
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linköping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/+CendioThinLinc

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cendio.se/pipermail/thinlinc-announce/attachments/20140508/9ea831cd/attachment.bin>


More information about the Thinlinc-announce mailing list