From: George <jirka@5z.com> To: gnome-announce-list@gnome.org, gnome-list@gnome.org Subject: ANNOUNCE: GDM 2.2.2.1, the "George deserves a spanking!" release Date: Sat, 2 Jun 2001 04:10:42 -0700 EKITYEKITYEKITYEKITY WOOOOOOOOOOOLOOOOOOOOOOONG Ahh, I thought it would never happen. But now it did, now I am one of the cool kids. I feel like singing. Yes you guessed right, there was a security hole in gdm. OK what's affected, all versions 2.2.x (and probably most 2.0.9x as well) local displays only. The problem is that gdm forgot to make up a new cookie before it reset the X server. Fortunately it has been in the past overzelaous and killed the slave process most of the time on logout which also ran a completely new X server with completely new cookies. However sometimes it did actually just reinit making it possible for one user to gain access to the X server of the user who logs in next. Not really a problem for home users as there is no network problem. However public access terminals or places where you don't trust other people on the local console should upgrade. Well, you should upgrade anyway, cuz 2.2.2 had a bunch of pretty serious bugs which for example could have prevented people from logging in. Also new in this release is an actual working XDMCP, now remote xdmcp has been working in 2.2.0, but was broken in 2.2.1 and 2.2.2. Now in 2.2.2.1 both local and remote XDMCP work properly. A note on this release is that the "ja" and "zh_TW.Big5" translations aren't included because the files on CVS are b0rk and have some illegal characters and such other things. I hope to fix this before next release. And now for the standard part of the release announcement: Ahh, so you have no clue what gdm is? Well if you've read this far ... let's not get into that. Gdm is GNOME Display Manager, the little daemon that lets you log in to your computer. It allows xdmcp multiple login displays, selection of languages, multiple login sessions and generally is much cooler then any xdm clone out there, mostly cuz it isn't an xdm clone to begin with. I mean heck, it's even got a graphical configurator, so you don't have to use the command line to hose your system anymore. News: ===== Note the elongating version number. I think next release will be 2.2.2.2, since that sounds cool. Note that translators didn't get enough notice to do their proper updates because of the security aspect of the release, it will be better with the next release. Highlights of 2.2.2.1: - SECURITY FIX! Rebake cookies before reinitializing the local X server. Only local X servers are affected, this bug allowed an attacker to log in, save his cookie, which would then be used for the user who logs in next. - Fix a race preventing users to log in sometimes - Ability to turn of failsafe and chooser sessions (Havoc) - Fix mit cookie usage to not clobber cookies containing zeros - Fix remote XDMCP authentication - Pinging for XDMCP sessions to detect if they're dead - Saving current gnome session is done from gdm (gnome-core HEAD no longer saves it) - Don't change utmp from Pre/Post session scripts - PAM related fixes - Better handeling of X failiures - Nicer iconify button - gdmphotosetup permissions fixes - Always add POSIX/C locale setting to language menu - Nicer minimize button - Ignore .rpmorig files - Other fixes - Translations (Stanislav Visnovsky, Kjartan Maraas, me) Note: Gdm2 was originally written by Martin K. Petersen <mkp@mkp.net>, and is now maintained by the Queen of England. Although when she's not answering her email, me or Lee Mellabone usually cover for her. Note2: If installing from the tarball do note that make install now overwrites most of the setup files, all except gdm.conf and gnomerc. It will however save backups with the .orig extention first. Note3: Distributors, packagers. Please, PLEASE use the standard Gnome script when setting things up as gnome, or at least equivalently working scripts. It should never be OK to just exec gnome-session, that is considered bad form. The script needs to read (if available) the ~/.gnomerc and otherwise read the <sysconfdir>/gdm/gnomerc file. This allows users and administrators to setup custom startup for gnome. Another thing is that if your distro doesn't have gnome-core 1.4.0.4 you should probably disable the Gnome Chooser stuff until that happens (you should update gnome-core anyway). Third thing is make sure to set up the X servers to run on the correct virtual terminals if you start the gdm process before the other login thingies. See the end of the gdm.conf sample file. Downloading: ============ To download the beast, go to: ftp://ftp.5z.com/pub/gdm/ ftp://ftp.gnome.com/pub/GNOME/stable/sources/gdm/ ftp://ftp.gnome.com/pub/GNOME/stable/redhat/i386/gdm/ ftp://ftp.gnome.com/pub/GNOME/stable/redhat/SRPMS/gdm/ (Note: I've also made an Alpha/Linux rpm, which is available at the 5z site) Have fun, George PS: I'm too tired to add a funny "PS". I've spent the last around 10 hours inside xdm sources, X/unix documentation and gdm xdmcp and authentication stuff. That's enough to kill an elephant -- George <jirka@5z.com> I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him. -- Mark Twain _______________________________________________ gnome-announce-list mailing list gnome-announce-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-announce-list