From unknown Thu Mar 28 19:30:07 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#508 closed by Mike Gabriel (X2Go issue (in src:python-x2go) has been marked as closed) Message-ID: References: <20141020105023.1C7165DB42@ymir.das-netzwerkteam.de> X-X2go-PR-Keywords: security pending X-X2go-PR-Message: they-closed 508 X-X2go-PR-Package: python-x2go X-X2go-PR-Source: python-x2go Date: Mon, 20 Oct 2014 10:55:22 +0000 Content-Type: multipart/mixed; boundary="----------=_1413802522-3679-0" This is a multi-part message in MIME format... ------------=_1413802522-3679-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the python-x2go package: #508: X2GoSession class: add clipboard session parameter It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1413802522-3679-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 20 Oct 2014 10:51:04 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS, URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 1C7165DB42; Mon, 20 Oct 2014 12:50:23 +0200 (CEST) From: Mike Gabriel To: 508-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 508@bugs.x2go.org Subject: X2Go issue (in src:python-x2go) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20141020105023.1C7165DB42@ymir.das-netzwerkteam.de> Date: Mon, 20 Oct 2014 12:50:23 +0200 (CEST) close #508 thanks Hello, we are very hopeful that X2Go issue #508 reported by you has been resolved in the new release (0.5.0.0) of the X2Go source project »src:python-x2go«. You can view the complete changelog entry of src:python-x2go (0.5.0.0) below, and you can use the following link to view all the code changes between this and the last release of src:python-x2go. http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=3fec411b839b53c0e51a73dd05c7a77dcde800e8;hp=3088eda9bf1494527afecc4b36c56a8caff314d0 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:python-x2go. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:python-x2go Version: 0.5.0.0-0x2go1 Status: RELEASE Date: Mon, 20 Oct 2014 12:40:34 +0200 Fixes: 334 358 500 508 532 537 588 602 Changes: python-x2go (0.5.0.0-0x2go1) RELEASED; urgency=low . [ Mike Gabriel ] * New upstream version (0.5.0.0): - Split up session profile backend into generic and storage specific parts. - Fully rework backend concept in Python X2Go. Breaks compatibility with earlier versions of Python X2Go concerning backends (probably not really used by third-party products, if at all). - Fix setting default values in X2GoClientXConfig class. - Default to xdg-open as default PDF viewer command. - Provide session profile backend for a http broker. - Make session profile backends more unicode robust. - X2GoSessionProfile.get_server_hostname must return unicode objects. - Speed-optimize session profile ID <-> name mapping. - Handle injection of PKey (Paramiko SSH key) objects for authentication from the broker session profiles backend. - Allow catching "connection refused" errors while talking to an X2Go Session Broker (X2GoBrokerConnectionException). - Support cookie based authentication against a http(s) session broker. - On Windows: Improve debugging when a new X-Server port has to be allocated. - Capture broker connection problems during selectsession calls to the broker via a HOOK method. - Allow user interaction via a HOOK if broker connection problems occur. - Handle broker setups that don't require credentials. Connection can be established simply by leaving the password (and authid) empty. - Fix detection of matching path names in X2GoIniFiles. - Make sure X2GoClientXConfig config file really gets written to disk (after we changed the internas of X2GoIniFile for this new major release). - Rename hook method HOOK_no_known_xserver_found to HOOK_no_installed_xservers_found. Call this new hook if no installed X-Servers could be found on the system. - Only check running X-Servers that have the same WMI SessionId as the current X2Go application. - Session profiles: default value type for exports session profile option is an empty dictionary. - Make X2GoClient's constructor aware of non-usable X-Server ports. - Windows: Fix crash while attempting to find the session window. - Support SSH proxy autologin feature of X2Go Session Broker. - Provide Telekinesis support in Python X2Go. - Stop manipulating session profiles in X2GoSshProxy class. Esp. stop manipulating session profiles with deprecated session options. - Type-hardening of X2GoSshProxy class. Accept hosts as list and strings. If hosts are given as a list, a random list element will be taken as host (for connecting and for the SSH proxy tunnel setup). - Type-hardening of X2GoControlSession class's C{connect()} method. Handle hostnames that come in as lists gracefully. - Don't construct the sshproxy_tunnel parameter in x2go/utils.py. Leave that to higher level classes that know more about X2Go internals. - Add support for a subsystem string when setting up port forwarding tunnels. - Use gevent to spawn the TeKi client start-up process (instead of waiting for it to return). - Provide support for new session parameter: clipboard. (Fixes: #508). - Split up NX output and NX errors into two separate files. - Silent ignore it if we cannot detect the local Xlib.display.Display() instance (happens with polyinstantiated /tmp dirs). - Don't start telekinesis client if not support server-side. Don't attempt at starting telekinesis client, if it is not installed. - Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #334). - Handle non-available color depth in X2Go session name gracefully. (Fixes: #358). - Make sure that the x2gosuspend-session/x2goterminate-session commands are sent to the X2Go Server before we take down the NX proxy subprocess. - Create a "session.window" file in the session directory. This file for now contains one line "ID:". The file appears once a session window comes up (start/resume), and disappears once the session window closes (suspend/terminate). - Only enable Telekinesis client debugging if the logger instance is in debug mode. - Performance tests have shown, that enabling SSH compression is not a good idea. NX should handle that instead (and does). - Better control the startup bootstrap of the Telekinesis client subsystem. - Newly understand our own Paramiko/SSH forwarding tunnel code. Become aware of handling multiple connects on the same tunnel. - Rename LICENSE.txt to COPYING. - Be more exact when detecting the NX proxy window id. - On non-Windows platforms, enforce usage of the "ares" DNS resolver in python-gevent (which is available since Python gevent 1.0~). (Fixes: #588). - Use Xlib to detect client-side destop geometry. - For reverse port forwardings use IPv4 localhost address only. - Assure proper NX Proxy cleanup when sessions suspends/ terminates. - Assure proper Telekinesis client cleanup when sessions suspends/ terminates. - Clean up terminal sessions properly when the clean_sessions() method of the control session has got called. - Don't use compression on TeKi sshfs mounts. - Handle duplicate profile names gracefully (i.e. append a " (1)", " (2)", ... to the session profile name). (Fixes: #500). - Support server-side Telekinesis versions that ship their own (teki-)sftpserver. - Use session_name, not session_info object's __str__() method to obtain session name (in X2GoTelekinesis). - Handle socket errors on the reverse port forwarding tunnels more gracefully. - Handle sudden control session death during local folder sharing gracefully. - Don't choke on non-initialized SSH transport objects when initializing SFTP client. - Fix transport lock release in X2GoControlSession._x2go_sftp_put(). - Fix session lock release in various methods of the X2GoSession class. - Release _share_local_folder_lock on instance X2GoTerminalSession destruction. - Detect non-installed sshfs (required for Telekinesis). - X2GoControlSession: Don't mess with the associated_terminals dict if the control session has already died away (i.e. been forcefully disconnect). - If the listsessions command detects a terminated or suspended session, we have to destroy the corresponding X2GoTerminalSession() to trigger a proper cleanup of that instance. - Fix various hrefs in __doc__ strings. - Fix creating/renaming/reconfiguring session profiles. Handle host option properly (as list). - Make sure we do a deepcopy of the default session profile parameters. - Detect more exceptions in the requests module when authenticating against a session broker. - Only convert the value of the export session profile option if not already a Python dictionary. - Capture X2GoControlSessionException occurrences during client-side folder sharing initializaation while starting/resuming a session. - X2GoSessionRegistry: Don't report about sessions that have a not yet fully assigned session name / profile name / profile id. * debian/control: + Add dependencies: python-requests, python-simplejson. + Add R (python-x2go): sshfs. + Add S (python-x2go): telekinesis-client, mteleplayer-clientside. + Update D (python-x2go): python-paramiko (>= 1.15.1-0~). (Fixes: #602). * python-x2go.spec: + Add dependencies: python-requests, python-simplejson. + Additionally adapt to building on openSUSE/SLES. + Add all python packages under R to BR (for epydoc run). + Update R for python-x2go: python-paramiko >= 1.15.1. . [ Mike DePaulo ] * New upstream version (0.5.0.0): - Windows: Fix compatibility with PulseAudio 3.0 & later (Fixes: #532) - Windows: Prevent high PulseAudio CPU usage on Windows XP by lowering PulseAudio's CPU priority from "high" to "normal" on XP specifically. Also do so on Windows Server 2003 (R2) (Fixes: #537) ------------=_1413802522-3679-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41]) by ymir (Postfix) with ESMTPS id 319B85DA79 for ; Mon, 1 Jul 2013 04:46:32 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194 for ; Mon, 1 Jul 2013 02:38:43 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw01.dd24.net ([192.168.1.191]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191) with ESMTP id ZbrxJaRO-CAr for ; Mon, 1 Jul 2013 02:38:39 +0000 (GMT) Received: from [192.168.0.102] (host-188-174-220-133.customer.m-online.net [188.174.220.133]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C for ; Mon, 1 Jul 2013 02:38:38 +0000 (GMT) Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net> Subject: SECURITY: x2goclient allows clipboard sniffing From: Christoph Anton Mitterer To: submit@bugs.x2go.org Date: Mon, 01 Jul 2013 04:38:28 +0200 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Package: x2goclient Severity: grave Tags: security Hi. From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 It seems that per default (and I even found no way to disable it) x2goclient (and perhaps other related tools?) transmit the content of the clipboard to the remote host. As this may easily contain passwords or other sensitive information, this is a extremely critical hole. Cheers, Chris. ------------=_1413802522-3679-0--