From astrand at cendio.se  Mon Dec 18 14:56:05 2017
From: astrand at cendio.se (Peter Astrand)
Date: Mon, 18 Dec 2017 14:56:05 +0100 (CET)
Subject: [Thinlinc-announce] ThinLinc Server Security Update
Message-ID: <alpine.LRH.2.20.1712181449330.14146@scilla.lkpg.cendio.se>


A security vulnerability with the server side support for "Local Drive
Redirection" has been discovered (bug 7087). In 4.8.0 and earlier
versions, it was possible for a local user to mount file systems
outside their designated area, allowing for a local attacker to gain
elevated privileges on the system. ThinLinc 4.8.1 has been released to
correct this problem. Please note the new release also includes a
4.8.1 client, but it is without changes and identical to 4.8.0. No
client update is needed.


Hotfix packages for older releases are available from
https://www.cendio.com/downloads/updates/b7087. After download, update
the relevant packages with:

     sudo rpm -Fvh <packages>

    or

     sudo dpkg -i <packages>


If Local Drive Redirection is not required, or if you are running a
version which is more than 3 years old, another solution is to disable
this feature by running:

# chmod u-s /opt/thinlinc/libexec/tl-mount-personal

Please note that the Local Drive Redirection feature now requires
Linux kernel 2.6.23 or later.


---
Peter Astrand
Cendio AB		https://cendio.com
Teknikringen 8		https://twitter.com/ThinLinc
583 30 Linkoping	https://facebook.com/ThinLinc
Phone: +46-13-214600	https://google.com/+CendioThinLinc