ANNOUNCE: GDM 2.4.4.4 (stable) (and 2.4.1.7), the "Chinese in Space" release

From: George <jirka 5z com>
To: gnome-announce-list gnome org, gdm SunSITE dk
Subject: ANNOUNCE: GDM 2.4.4.4 (stable) (and 2.4.1.7), the "Chinese in Space" release
Date: Thu, 16 Oct 2003 10:54:10 -0700
YYYYYYYYYYYYYYYYYYYYYAIKES!

(If you have no clue what gdm is, skip a few paragraphs down first)

Well, I really ought to be doing homework, but alas, security problems
tend to creep up in the most unexpected times.  This time it's not
as serious, but still somewhat serious for large installations.  These
are two local DoS attacks, unexploitable in a different way then to
crash or hang the main daemon thus making further logins impossible.  Note
that neither will crash or hang current sessions however.  They were
classified as CAN-2003-0793 and CAN-2003-0794

I've made a 2.4.4.4 release which is for GNOME2.4 and for those of you still
running old GNOME I've made 2.4.1.7.  However 2.4.4.4 should really compile
on old GNOME (anything 2.0 and up I'd think) and you should really use
this version as it has many security enhancements over 2.4.1.x and many
MANY fixes over that version.  The 2.4.1.7 version just fixes the security
problems and the underline problem and nothing else.  The 2.4.4.4 version
includes several new bug fixes.

And now for the standard part of the release announcement:

GDM is the GNOME Display Manager, it is the little proggie that runs in the
background, runs your X sessions, presents you with a login box and then
tells you to piss off because you forgot your password.  It does pretty much
everything that you would want to use xdm for, but doesn't involve as much
crack.  It doesn't use any code from xdm, and has a more paranoid and safer
design overall.  It also includes many features over xdm, the biggest one of
which is that it is more user friendly, even if your X setup is failing.  The
goal is that users should never, ever have to use the command line to
customize or troubleshoot gdm.  It of course supports xdmcp, and in fact
extends xdmcp a little bit in places where I thought xdm was lacking (but is
still compatible with xdm's xdmcp).

News:
=====

Highlights of 2.4.4.4:

- SECURITY: Fixed CAN-2003-0793, a local DoS, the socket connection
  is now non-blocking and limitted to the number of commands

- SECURITY: Fixed CAN-2003-0794, a local DoS, the line length is limitted
  to 4096 bytes (note, this was not a buffer overrun).

  (Thanks to Jarno Gassenbauer for pointing out the above two problems)

- Avoid possible DoS by using "-audit 0" for the X server command line

- When cookies are in the fallback dir touch them every
  12 hours to avoid tmpwatch from removing them

- Add config key NeverPlaceCookiesOnNFS to allow
  cookie files on NFS or similar filesystems

- Graphical greeter now graphically complains if it can't
  load a theme rather then plainly failing.

- Go shell quoting crazy (fixes among others rh #105858,
  but none of the issues were actually security problems,
  "annoying" on really weird configs at most)

- Some more anality with touching user owned files

- Fixed the graphical greeter line breaking to not upset
  pango and generally work with marked up strings

- Fix an underlining bug in the graphical greeter when the underlined letter
  is the last letter. (discussed in rh #106189)

- Minor other fixes (among others #123958, #124680)

Note:  GDM2 was originally written by Martin K. Petersen <mkp mkp net>, and
has for a while now been maintained by the Queen of England.  She is usually
not responsive to bug reports or feature requests.  You can try to send them
to me however.

Note2:  If installing from the tarball do note that make install overwrites
most of the setup files, all except gdm.conf.  It will however save backups
with the .orig extension first.

Note3:  Note3 has been depracated ...

Downloading:
============

Webpage: http://www.jirka.org/gdm.html
http://ftp.gnome.org/pub/GNOME/sources/gdm/2.4/
ftp://ftp.5z.com/pub/gdm/

Sorry no RPMS.  There is a spec file included in the tarball and it should
work.  So generate an rpm with

  rpmbuild -ta gdm-whatever.tar.gz

Have fun (or whatever else you wish to be having),

George

PS:  I really ought to be doing homework :) $\Rightarrow$ no silliness for you

-- 
George <jirka 5z com>
   Religion is what keeps the poor from murdering the rich.
                       -- Napoleon
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]