Source: xrdp Version: 0.9.21.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for xrdp. CVE-2023-40184[0]: | xrdp is an open source remote desktop protocol (RDP) server. In | versions prior to 0.9.23 improper handling of session establishment | errors allows bypassing OS-level session restrictions. The | `auth_start_session` function can return non-zero (1) value on, | e.g., PAM error which may result in in session restrictions such as | max concurrent sessions per user by PAM (ex | ./etc/security/limits.conf) to be bypassed. Users (administrators) | don't use restrictions by PAM are not affected. This issue has been | addressed in release version 0.9.23. Users are advised to upgrade. | There are no known workarounds for this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40184 https://www.cve.org/CVERecord?id=CVE-2023-40184 [1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq [2] https://github.com/neutrinolabs/xrdp/commit/25a1fab5b6c5ef2a8bb109232b765cb8b332ce5e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
