SUSE: 2019:1847-1 important: xrdp

    Date 15 Jul 2019
    Posted By LinuxSecurity Advisories
    An update that solves three vulnerabilities and has 5 fixes is now available.
       SUSE Security Update: Security update for xrdp
    Announcement ID:    SUSE-SU-2019:1847-1
    Rating:             important
    References:         #1014524 #1015567 #1029912 #1060644 #1069591 
                        #1090174 #1100453 #1101506 
    Cross-References:   CVE-2013-1430 CVE-2017-16927 CVE-2017-6967
    Affected Products:
                        SUSE Linux Enterprise Server 12-SP4
                        SUSE Linux Enterprise Desktop 12-SP4
       An update that solves three vulnerabilities and has 5 fixes
       is now available.
       This update for xrdp fixes the following issues:
       These security issues were fixed:
       - CVE-2013-1430:  When successfully logging in using RDP into an xrdp
         session, the file ~/.vnc/sesman_${username}_passwd was created. Its
         content was the equivalent
         of the user's cleartext password, DES encrypted with a known key
       - CVE-2017-16927: The scp_v0s_accept function in sesman/libscp/libscp_v0.c
         in the session manager in xrdp through used an untrusted integer as a
         write length, which could lead to a local denial of service
       - CVE-2017-6967: Fixed call of the PAM function auth_start_session(). This
         lead to to PAM session modules not being properly initialized, with a
         potential consequence of incorrect configurations or elevation of
         privileges, aka a bypass (bsc#1029912).
       These non-security issues were fixed:
       - The KillDisconnected option for TigerVNC Xvnc sessions is now supported
       - Fixed an issue with delayed X KeyRelease events (bsc#1100453)
       - Force xrdp-sesman.service to start after xrdp.service. (bsc#1014524)
       - Avoid use of hard-coded sesman port. (bsc#1060644)
       - Fixed a regression connecting from Windows 10. (bsc#1090174)
    Patch Instructions:
       To install this SUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
       Alternatively you can run the command listed for your product:
       - SUSE Linux Enterprise Server 12-SP4:
          zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-1847=1
       - SUSE Linux Enterprise Desktop 12-SP4:
          zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-1847=1
    Package List:
       - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
       - SUSE Linux Enterprise Desktop 12-SP4 (x86_64):
    sle-security-updates mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"23","type":"x","order":"1","pct":95.83,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"1","type":"x","order":"2","pct":4.17,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200


    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.