- --------------------------------------------------------------------------
Debian Edu/Skolelinux Security Advisory DESA 2008-002
http://www.skolelinux.org/security/                  Morten Werner Forsbring
March 16th, 2008                 debian-edu-security@lists.alioth.debian.org
- --------------------------------------------------------------------------

Package             : ltsp (ltsp)
Vulnerability       : disabled X access control mechanisms
Problem-Type        : remote
Need reboot         : no
Debian Edu-specific : no
CVE ID              : -
DSA ID              : -


The vulnerability described in this DESA affects Debian Edu/Skolelinux
3.0 (codename terra) based on Debian GNU/Linux 4.0 (codename etch).

Christian Herzog discovered that access controls was disabled for ldm,
which leaves the X display wide open.

We recommend that you upgrade your ltsp packages to the new
0.99debian12+0.0.edu.etch.9 package built for Debian Edu/Skolelinux.

IMPORTANT NOTE: Be aware that upgrading the package on the server will
not be enough if you use LTSP as suggested by Debian Edu.

That is: "aptitude upgrade" will most likely NOT be enough, you
probably will need to do MORE. Please read the _complete_ upgrade
instructions below!


Upgrade Instructions
- --------------------

Make sure the line

  deb http://ftp.skolelinux.org/skolelinux etch local

is present in your /etc/apt/sources.list and run 'aptitude update' to
update your package lists. Then run

  aptitude upgrade

to upgrade all the packages mentioned above. This might upgrade other
packages too, and you should run

  aptitude install ltsp

if you only want to upgrade the package mentioned above.


In Debian Edu when using LTSP ldm is also installed in a chroot
environment which is exported via NFS to the LTSP clients. This chroot
will not be upgraded merely by upgrading the server itself.

For example, on i386, to upgrade ldm in the chroot it will require the
following commands on your Debian Edu / Skolelinux thin-client
servers:

  chroot /opt/ltsp/i386 aptitude update
  chroot /opt/ltsp/i386 aptitude upgrade

to upgrade the chroot environments. Then you should reboot all your
thin clients.

- --------------------------------------------------------------------------
Mailing lists: debian-edu-announce@lists.debian.org
Package info: `apt-cache show <pkg>'