X2Go Bug report logs -
#335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc
Reported by: "Dan Halbert" <halbert@halwitz.org>
Date: Mon, 21 Oct 2013 12:48:02 UTC
Severity: grave
Tags: confirmed, pending
Fixed in version 0.4.0.9
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Bug is archived. No further changes may be made.
Full log
🔗
View this message in rfc822 format
close #335
thanks
Hello,
we are very hopeful that X2Go issue #335 reported by you
has been resolved in the new release (0.4.0.9) of the
X2Go source project »src:python-x2go«.
You can view the complete changelog entry of src:python-x2go (0.4.0.9)
below, and you can use the following link to view all the code changes
between this and the last release of src:python-x2go.
http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=62f82b9324d1ed8240af1ad0bf0e5ff82f08ee49;hp=000e5e38e26713f485314365486d05b93100a189
If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:python-x2go.
Thanks a lot for contributing to X2Go!!!
light+love
X2Go Git Admin (on behalf of the sender of this mail)
---
X2Go Component: src:python-x2go
Version: 0.4.0.9-0x2go1
Status: RELEASE
Date: Wed, 08 Jan 2014 15:14:16 +0100
Fixes: 329 330 335
Changes:
python-x2go (0.4.0.9-0x2go1) RELEASED; urgency=low
.
[ Mike Gabriel ]
* New upstream version (0.4.0.9):
- Agent channels in Paramiko can raise an EOFError if the connection
has got disrupted. Ignoring this.
- Store the session password in base64 encoded string in order to make
it harder spotting the long term stored (for the duration of the session)
plain text password.
- Support encryption passphrases on SSH private key files (X2Go SSH
connections as well as SSH proxy connections).
- Invalidate SSH private keys (filename, pkey object) when look_for_keys is
requested.
- Keep private key information even if force_password_auth is set in the
control session's connect() method.
- Fix parameter handling in X2GoSession.connect().
- Rewrite passwords that are not string/unicode to an empty string.
- No Unicode chars in log messages. Eliminated one more in checkhosts.py.
- Implement two-factor authentication.
- Compat fix in _paramiko monkey patch module to also work with early
Paramiko versions.
- Handle echoing ~/.*shrc files gracefully via SSH client connections. Do
not allow data injections via ~/.*shrc files. (Fixes: #335).
- Properly handle (=expand) the "~" character in key filenames. (Brought to
attention by Eldamir on IRC. Thanks!).
- Differentiate between desktop sharing errors and desktop sharing access
that gets denied by the other/remote user.
- Report about found session window / session window retitling in debug
mode.
- Fix session window detection when local session manager is the i3 session
manager (which uses _NET_CLIENT_LIST_STACKING instead of
_NET_CLIENT_LIST).
- Check for pulse cookie file in old (~/.pulse-cookie) and new
(~/.config/pulse/cookie) location.
- Import python-x2go-py3.patch from Fedora. Thanks to Orion!!!
- Improve setup.py script: make it run with Python3 and older Python2
versions.
- Fix tests for two-factor authentication in control session and SSH proxy
code.
- Fix regression: Make password logins with PyHoca-CLI succeed again.
- Make channel compression to all authentication methods.
- Set keepalive on proxy channel.
- Only use [<host>]:<port> if <port> is not 22.
- Handle host key checks for hosts that do not have a port specified.
* debian/source/format:
+ Switch to format 1.0.
* python-x2go.spec:
+ Ship python-x2go.spec (RPM package definitions) in upstream project.
(Thanks to the Fedora package maintainers).
+ Clear (Fedora package) changelog.
+ Drop dependency on python-cups.
.
[ Orion Poplawski ]
* debian/control:
+ Drop python-cups from Depends: field. Python CUPS is no dependency if
Python X2Go. (Fixes: #329).
.
[ Kenneth Pedersen ]
* New upstream version (0.4.0.9):
- Color depth detection: Stop using win32api.GetSystemMetrics(2) which actually
returns the width of a vertical scroll bar in pixels. Instead, create a screen
display context and query it for the color depth. (Fixes: #330).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Sun Nov 24 13:19:45 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.