Home > Security > Advisories


Mandriva Advisories

Package name kdm
Date March 20th, 2002
Advisory ID MDKSA-2002:025
Affected versions 7.1, 7.2, 8.0, CS1.0
Synopsis Instructions correcting insecure configuration of kdm

Problem Description

A problem was discovered with the default configuration of the kdm
display manager in Mandrake Linux. By default, it allows XDMCP
connections from any host, which can be used to obtain a login screen
on your system remotely. This can be used to get a list of users on
that host, as displayed by kdm. It can also be used to circumvent
access control mechanisms such as tcpwrappers and root login
restrictions on the console and via remote.


To disable remote connections, edit the /etc/X11/xdm/Xaccess file and
change the following two lines:

* #any host can get a login window
* CHOOSER BROADCAST #any indirect host can get a chooser


Please note that Mandrake Linux 8.1 and 8.2 are not vulnerable to this
as newer versions of kdm have a configuration option in the
/usr/share/config/kdm/kdmrc file which explicitly have XDMCP support

Also please note that this is only valid if you are running kdm.

Updated Packages




To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.