ThinLinc 4.10.0 Release Notes
Cendio are proud to present ThinLinc 4.10.0, with more than 100 enhancements and fixes. The most prominent changes are:
- The base requirements for the server and the Linux client have been raised. The requirements are still very low and all systems released the last 8 to 9 years should still be supported. Check the documentation for the exact details.
- Upgraded graphical stack that includes bug fixes, performance improvements, many small features and generally gives better compatibility with applications running in a ThinLinc session.
- The ability to partition a ThinLinc cluster into to sub-clusters for different use. The different sub-clusters can even use entirely different distributions.
- An overhaul of the authentication in Web Access to increase compatibility with various authentication modules, such as the Duo Access one time password system.
- Support for UNIX and Windows Application Servers has been removed in this version in favour of focusing more on the Linux desktop. Users are encouraged to switch to the applications provided by the distribution where this is still needed, and those applications should continue to work well in ThinLinc.
ThinLinc works on most modern Linux distributions and is supported on any platform that fulfils our documented requirements.
Changes in This Release
In the list below, the bug number is given in parentheses. For more information, visit https://www.cendio.com/bugzilla/.
- Subcluster support has been added. It is now possible to group agents into multiple subclusters which can be associated with specific users or groups. (7188)
- The command tl-run-unixapp has been removed. Using single sign-on with the ssh client is still possible using the $SSH_ASKPASS mechanism and setsid. (7279)
- Configuration parameters which have been renamed or moved can now automatically be migrated when upgrading the server. This feature is part of the 'parameters' migration choice in tl-setup. (7193)
- The system requirements have been raised to require GLIBC 2.12 or newer, Python 2.6 or newer, and PyGTK 2.16 or newer. (5657, 5745, 7196)
- Areas of the screen that have been sent in a reduced quality will now automatically be restored to a high quality once conditions allow it. Reasons for the reduced quality can be explicit user settings or because of bandwidth constraints. (2928)
- The X server platform has been upgraded to 1.20.1. This gives greater compatibility with applications and access to modern X11 extensions. (5241)
- OpenGL now works correctly on platforms using the new GLVND extension. (6177, 7225)
- The high latency handling has been improved to give a more responsive experience for networks with large latency but also plenty of bandwidth. (4735)
- An issue where the X server could crash when using Google Chrome has been fixed. (6234)
- It is now possible to specify shadower by using a group instead of individual users for simpler administration. (7254)
- An issue where the client could be disconnected when using fullscreen mode with two identical monitors has been fixed. (4516)
- Sessions are now started correctly on modern systems that use a per-user D-Bus daemon rather than a per-session one. Previously some applications, or entire desktop environments, would not start correctly. (5950, 6190)
- The new Ubuntu GNOME desktop environment is no longer incorrectly listed as Unity in the profile chooser, it is now listed as Ubuntu Desktop. Also, the Unity desktop environment will now properly be detected by the default profiles on Ubuntu 18.04. (7208)
- An issue has been fixed where either the vsmserver or vsmagent service could start consuming 100% CPU and constantly logging "Unknown control command received on control pipe". (7097)
- An issue has been fixed where the clipboard would become unreliable while using KDE klipper in a session. (7236)
- An issue has been fixed where the setting /vsmserver/allowed_groups could be bypassed if the group lookup failed for every specified group. (7182)
- Indirect OpenGL rendering is now disabled by default. This mode is rarely used and has historically had many security issues. The more common direct OpenGL rendering is still enabled. Indirect rendering can be enabled by adding +iglx to /vsmagent/xserver_args. (5241)
- Upgrade of xorg-server to 1.20.1 fixes multiple vulnerabilities where a malicious application could cause the X server to crash or execute arbitrary code. [CVE-2013-4396, CVE-2015-3418, CVE-2017-10971, CVE-2017-10972, CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183, CVE-2017-12184, CVE-2017-12185, CVE-2017-12186, CVE-2017-12187, CVE-2017-13721, CVE-2017-13723] (4834, 5241)
- Transfer of clipboard between client and server will now only occur if the client window has focus. (7240)
- The transparent parts of mouse cursors are now handled fully. Previously a cursor pixel could only be fully opaque or fully transparent. (1122)
- Caps Lock, Num Lock and Scroll Lock states are now synchronized between the client and server. This increases application compatibility by reducing the need for fake, server generated key presses when these lock keys are used. (400)
- The client or server will no longer crash when configuring a very large session size (8192x8192 or larger). (7242)
- nettle has been updated to version 3.4. (7114)
- GnuTLS has been updated to version 3.5.18. (7115)
- libtasn1 has been upgraded to version 4.13. (7116)
- When upgrading the client or server on RPM systems, the desktop entries (program launchers) disappeared. This has been corrected. (7183)
- Fixed an issue where all the ThinLinc services would be unresponsive when used on Fedora 29 (or any other system with a very recent SELinux policy). (7277)
- OpenSSL has been upgraded to version 1.0.2q. This fixes an ECDSA signature generation timing attack, overflow bugs in AVX2 Montgomery multiplications and carry propagation issues in Montgomery squaring procedures. OpenSSL considers these issues to have low severity or unlikely to be exploited in practice. [CVE-2018-5407, CVE-2017-3736, CVE-2017-3738] (7118)
- The system requirements for GLIBC for the Linux client have been raised to version 2.12. As a result the client for Dell Wyse-Enhanced SuSE Linux has been removed as that platform no longer fulfils the basic requirements. (5745)
- The Windows Client now supports configuration parameters which are longer than 255 characters. (7247)
- The macOS client has received a facelift by using a new theme that better matches other macOS applications. (7238)
- An issue with un-grab of mouse and keyboard has been fixed with the Linux client. This enables you to work with a ThinLinc session in fullscreen on one monitor and your local desktop on the other in a multi-monitor configuration without interference. (5481)
- A hint is shown upon connection to inform how to access the context menu of the client. (7235)
- The client will no longer crash when asking for the passphrase for a public key with French translations. (7250)
- Keyboard handling on Windows has been improved and issues with the AltGr key, the right Shift key and the Break key have been resolved. (965, 5226, 5229, 7237)
- An issue has been fixed where the Linux client could become unresponsive when used with Xorg or Xwayland 1.20 or newer. (7241)
- An issue has been fixed where the Linux client could become unresponsive when connecting. (7285)
- OpenSSH has been upgraded to version 7.9p1. This removes support for connecting to some very old SSH server implementations along with support for SSH protocol version 1. This change also removes support for the hmac-ripemd160 message authentication code and the arcfour, blowfish and CAST ciphers. CBC ciphers are no longer offered by default by the client. RSA keys less than 1024 bits in length are no longer accepted by the client. (7117)
- An issue has been fixed where the Windows client could intermittently fail to connect to the agent. (7231)
ThinLinc Web Access
- Restricting login access based on remote host is now possible in Web Access. Using the PAM system module pam_access.so, one can now restrict access based on user, group, PAM service and remote host. (6346)
- Fixed crashes that occurred when sending or receiving large clipboards in Web Access. (7198)
- It is now possible to log in using case insensitive usernames, or usernames that have several alternative forms (e.g. "user" and "user@DOMAIN"). (6209)
- The authentication handling has been greatly improved. Web Access now handles messages and prompts as expected, allowing things such as expired password prompts and advanced PAM modules such as Duo Access. (5028, 5086)
- Web Access can now handle more than 40 connected clients per agent. ThinLinc no longer has a fixed limit and will allow as many connections as the system can handle. (7187)
- An issue has been fixed where Web Access could start refusing all attempts to log in. (7097)
- An issue has been fixed where it could take a very long time to get an error when trying to log in with a user that doesn't exist. This issue has only been seen on recent Fedora systems. (7203)
- Messages from the authentication system containing special characters are now correctly displayed. This could in theory have been used to inject malicious code in to a Web Access session, but no real world scenario is currently known. (7121)
- Web Access now has basic protection against misbehaving clients. Such clients will be forcefully disconnected if unresponsive. This makes sure that system resources are not wasted needlessly. (7187)
- Web Access now limits the number of concurrent authentications to 32 in order to protect against malicious clients trying to cause excessive load on the system. (7288)
Smart Card Support
- An issue has been fixed where the ThinLinc client would fail to notice a smart card reader being added or removed. This caused issues for devices that integrate the reader and smart card in to a single device, e.g. Yubikey. (3572, 7253)
- The bundled PKCS#11 smart card library has been upgraded in order to fix several security issues where a malicious smart card could cause the client to crash or execute arbitrary code. (7243)
- ThinLinc no longer supports applications using the older EsounD protocol. All applications must now use PulseAudio, or a compatibility layer such as the ALSA plugin or padsp. (6108)
- A new section for administrating subclusters has been added to the ThinLinc Web Administration interface. (7188)
- The Web Adminstration now has basic protection against misbehaving clients. Such clients will be forcefully disconnected if unresponsive. This makes sure that system resources are not wasted needlessly. (7289)
- Integration with Microsoft Remote Desktop Services has been removed from ThinLinc. Installing and setting up such integration will now have to be performed separately from the ThinLinc installation. (7279)
- In order to avoid confusion with Web Access and streamline tl-setup, the Web Integration is no longer installed by default. The Administrators Guide has been amended with manual installation and setup instructions. (5190)
- Improved upgrade documentation by adding recommendations for how to upgrade a ThinLinc cluster and explaining how existing sessions are affected by ThinLinc server upgrades. (7112)
- New configuration folder: /vsmserver/subclusters/. Holds settings relating to subclusters. Subclusters replace both the parameters /vsmserver/terminalservers and /vsmserver/explicit_agentselection. (7188)
- The folder /profiles/ubuntu has been added to /opt/thinlinc/etc/conf.d/profiles.hconf as part of the new Ubuntu profile. (7208)
- The /vsmserver/terminalservers parameter has been renamed and moved into subclusters. Within each subcluster the agents parameter works the same way as terminalservers did before. (7188)
- The default value of /profiles/order parameter in the /opt/thinlinc/etc/conf.d/profiles.hconf configuration file now includes ubuntu. (7208)
- The /vsmserver/explicit_agentselection parameter has been removed. Subclusters can be used to achieve the same setup. (7188)
- The configuration folder /appservergroups and all parameters within have been removed.
A complete configuration reference can be found in the ThinLinc Administrators Guide.
ThinLinc has also been enhanced in many other ways. The complete list of corrected issues is:
400, 965, 1122, 2928, 3558, 3572, 3738, 4017, 4120, 4516, 4735, 4834, 4983, 4999, 5028, 5069, 5086, 5090, 5113, 5133, 5190, 5226, 5229, 5241, 5263, 5481, 5526, 5576, 5585, 5657, 5661, 5669, 5674, 5677, 5706, 5719, 5745, 5754, 5868, 5937, 5950, 6045, 6103, 6108, 6116, 6156, 6177, 6190, 6209, 6221, 6234, 6341, 6346, 6970, 7097, 7112, 7114, 7115, 7116, 7117, 7118, 7121, 7124, 7139, 7158, 7162, 7176, 7178, 7180, 7182, 7183, 7186, 7187, 7188, 7189, 7193, 7194, 7196, 7198, 7203, 7204, 7208, 7210, 7220, 7221, 7224, 7225, 7231, 7235, 7236, 7237, 7238, 7239, 7240, 7241, 7242, 7243, 7245, 7247, 7250, 7253, 7254, 7277, 7279, 7285, 7288, 7289, 7302, 7303, 7306, 7309, 7310
Dell is a registered trademark of Dell Inc.
Duo Access is a registered trademark of Duo Security, Inc.
Fedora is a registered trademark of Red Hat, Inc.
Linux is a registered trademark of Linus Torvalds.
OpenGL is a registered trademark of Silicon Graphics, Inc.
macOS and OS X are registered trademarks of Apple Computer, Inc.
ThinLinc is a registered trademark of Cendio AB.
Ubuntu is a registered trademark of Canonical Ltd.
UNIX is a registered trademark of The Open Group.
Windows is a registered trademark of Microsoft, Inc.
Wyse is a registered trademark of Wyse Technology Inc.