[Thinlinc-technical] Security updates for ThinLinc available
Pierre Ossman
ossman at cendio.se
Thu May 8 14:55:00 CEST 2014
Two security vulnerabilities have recently been discovered in ThinLinc.
All currently supported versions of ThinLinc are affected by these
issues and we recommend that everyone apply the linked updates.
The two issues are:
* A security vulnerability with the server side support for "Local
Drive Redirection" has been discovered. Due to a race condition it is
possible for a user with ThinLinc access to mount file systems
outside their designated area. (bug 4972)
* The storage of the Web Administration Interface password has a
weakness that allows anyone with access to the system to discover
what the password is. (bug 4918)
To remedy these issues, please follow the following steps:
1. Download the packages that matches your platform and ThinLinc
version from both of these URLs:
http://www.cendio.com/downloads/updates/b4918/
http://www.cendio.com/downloads/updates/b4972/
Don't forget the tlmisc-libs packages for 3.3.0 and later.
Also note that Solaris does not support local drives, so only the
vsm package is available for that platform.
2. Update the relevant packages:
sudo rpm -Fvh <packages>
or
sudo dpkg -i <packages>
or
sudo pkgrm CENDthinlincvsm
sudo pkgadd -d CENDthinlincvsm-<version>-sparc all
3. Clear out the old Web Administration password:
sudo /opt/thinlinc/bin/tl-config /tlwebadm/password=" "
4. Run tl-setup to set a new password and restart the services.
sudo /opt/thinlinc/sbin/tl-setup
Regards
--
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cendio.se/pipermail/thinlinc-technical/attachments/20140508/9ea831cd/attachment-0004.sig>
More information about the Thinlinc-technical
mailing list