• moderiert von:
  • Forenmoderatoren
Zum aktuellsten Beitrag
desa-2008-002: ltsp -- disabled x access control mechanisms
  • verfasst: 16.03.2008, 13:20
     
    registriert:
     November 2007
    Status:
    offline
    letzter Besuch:
    21.08.08
    Beiträge:
    2474
    Absender: morten werner forsbring
    1. -----BEGIN PGP SIGNED MESSAGE-----
    2. Hash: SHA1
    3.  
    4. - - --------------------------------------------------------------------------
    5. Debian Edu/Skolelinux Security Advisory DESA 2008-002
    6. http://www.skolelinux.org/security/                  Morten Werner Forsbring
    7. March 16th, 2008                 debian-edu-security@lists.alioth.debian.org
    8. - - --------------------------------------------------------------------------
    9.  
    10. Package             : ltsp (ltsp)
    11. Vulnerability       : disabled X access control mechanisms
    12. Problem-Type        : remote
    13. Need reboot         : no
    14. Debian Edu-specific : no
    15. CVE ID              : -
    16. DSA ID              : -
    17.  
    18.  
    19. The vulnerability described in this DESA affects Debian Edu/Skolelinux
    20. 3.0 (codename terra) based on Debian GNU/Linux 4.0 (codename etch).
    21.  
    22. Christian Herzog discovered that access controls was disabled for ldm,
    23. which leaves the X display wide open.
    24.  
    25. We recommend that you upgrade your ltsp packages to the new
    26. 0.99debian12+0.0.edu.etch.9 package built for Debian Edu/Skolelinux.
    27.  
    28. IMPORTANT NOTE: Be aware that upgrading the package on the server will
    29. not be enough if you use LTSP as suggested by Debian Edu.
    30.  
    31. That is: "aptitude upgrade" will most likely NOT be enough, you
    32. probably will need to do MORE. Please read the _complete_ upgrade
    33. instructions below!
    34.  
    35.  
    36. Upgrade Instructions
    37. - - --------------------
    38.  
    39. Make sure the line
    40.  
    41.   deb http://ftp.skolelinux.org/skolelinux etch local
    42.  
    43. is present in your /etc/apt/sources.list and run 'aptitude update' to
    44. update your package lists. Then run
    45.  
    46.   aptitude upgrade
    47.  
    48. to upgrade all the packages mentioned above. This might upgrade other
    49. packages too, and you should run
    50.  
    51.   aptitude install ltsp
    52.  
    53. if you only want to upgrade the package mentioned above.
    54.  
    55.  
    56. In Debian Edu when using LTSP ldm is also installed in a chroot
    57. environment which is exported via NFS to the LTSP clients. This chroot
    58. will not be upgraded merely by upgrading the server itself.
    59.  
    60. For example, on i386, to upgrade ldm in the chroot it will require the
    61. following commands on your Debian Edu / Skolelinux thin-client
    62. servers:
    63.  
    64.   chroot /opt/ltsp/i386 aptitude update
    65.   chroot /opt/ltsp/i386 aptitude upgrade
    66.  
    67. to upgrade the chroot environments. Then you should reboot all your
    68. thin clients.
    69.  
    70. - - --------------------------------------------------------------------------
    71. Mailing lists: debian-edu-announce@lists.debian.org
    72. Package info: `apt-cache show <pkg>'
    73. -----BEGIN PGP SIGNATURE-----
    74. Version: GnuPG v1.4.6 (GNU/Linux)
    75.  
    76. iD8DBQFH3RD3w951rgNrq40RAoCZAJ9QOy5pqpJH5St3rdu7WuuBQ3jBDgCggxjk
    77. 6B3nOH37TpRF/78YSlF1Qk4=
    78. =69n/
    79. -----END PGP SIGNATURE-----
    80.  
    81.  
    82. --
    83. To UNSUBSCRIBE, email to debian-edu-announce-request@lists.debian.org
    84. with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

 Suchen:


 Umfrage

(Nur für angemeldete Benutzer)

Was wird hier am meisten vermisst?

[ Ergebnis | Umfragen ]

Stimmen: 621
Kommentare: 0

 Zitate

File not found. Should I fake it? (Y/N)

-- anonymous