Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 39: 2023-5134642a68 Critical: xrdp Session Handling Bypass

fedora
Calendar Grey September 15, 2023
Dist Fedora Esm H88
xrdp version 0.9.23 has been released, introducing enhancements in security measures and refining session management alongside improvements in multi-host connectivity.
Release notes for xrdp v0.9.23 (2023/08/31) General announcements - Running xrdp and xrdp-sesman on separate hosts is still supported by this release, but is now deprecated

Summary

xrdp provides a fully functional RDP server compatible with a wide range

of RDP clients, including FreeRDP and Microsoft RDP client.

Update Information:

Release notes for xrdp v0.9.23 (2023/08/31) General announcements - Running xrdp and xrdp-sesman on separate hosts is still supported by this release, but is now deprecated. This is not secure. A future v1.0 release will replace the TCP socket used between these processes with a Unix Domain Socket, and then cross-host running will not be possible. Security fixes - CVE-2023-40184: Improper handling of session establishment errors allows bypassing OS-level session restrictions (Reported by @gafusss) Bug fixes - Environment variables set by PAM modules are no longer restricted to around 250 characters (#2712) - X11 clipboard clients now no longer hang when requesting a clipboard format which isn't available (#2767) New features No new features in this release. Internal changes - Introduce release tarball generation script (#2703) - cppcheck version used for CI bumped to 2.11 (#2738) Known issues - On-the-fly resolution change requires the Microsoft Store v...

Topics%20covered

Topics Covered

security advisory fedora critical remote desktop bypass session handling xrdp

Change Log

* Fri Sep 1 2023 Bojan Smojver - 1:0.9.23-1 - Update to 0.9.23 - CVE-2023-40184

References


[ 1 ] Bug #2236307 - CVE-2023-40184 xrdp: xdp: restriction bypass via improper session handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2236307 [ 2 ] Bug #2236308 - CVE-2023-40184 xrdp: xdp: restriction bypass via improper session handling [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2236308

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-5134642a68' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Severity
critical
Lowest
Low
Medium
High
Critical

Name: xrdp
Product: Fedora 39
Version: 0.9.23
Release: 1.fc39
URL: http://www.xrdp.org/
Summary: Open source remote desktop protocol (RDP) server

Topics%20covered

Topics Covered

security advisory fedora critical remote desktop bypass session handling xrdp

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here