[Thinlinc-technical] ThinLinc Server Security Update

Peter Astrand astrand at cendio.se
Mon Dec 18 14:56:05 CET 2017


A security vulnerability with the server side support for "Local Drive
Redirection" has been discovered (bug 7087). In 4.8.0 and earlier
versions, it was possible for a local user to mount file systems
outside their designated area, allowing for a local attacker to gain
elevated privileges on the system. ThinLinc 4.8.1 has been released to
correct this problem. Please note the new release also includes a
4.8.1 client, but it is without changes and identical to 4.8.0. No
client update is needed.


Hotfix packages for older releases are available from
https://www.cendio.com/downloads/updates/b7087. After download, update
the relevant packages with:

     sudo rpm -Fvh <packages>

    or

     sudo dpkg -i <packages>


If Local Drive Redirection is not required, or if you are running a
version which is more than 3 years old, another solution is to disable
this feature by running:

# chmod u-s /opt/thinlinc/libexec/tl-mount-personal

Please note that the Local Drive Redirection feature now requires
Linux kernel 2.6.23 or later.


---
Peter Astrand
Cendio AB		https://cendio.com
Teknikringen 8		https://twitter.com/ThinLinc
583 30 Linkoping	https://facebook.com/ThinLinc
Phone: +46-13-214600	https://google.com/+CendioThinLinc


More information about the Thinlinc-technical mailing list