Fedora has issued an advisory today (September 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SOT237TIHTHPX5YNIWLVNINOEYC7WMG2/ Mageia 8 and 9 are also affected.
Whiteboard: (none) => MGA9TOO, MGA8TOOSource RPM: (none) => xrdp-0.9.21-1.mga9.src.rpmCC: (none) => nicolas.salguero
The Fedora announcement indicates that the CVE is fixed by v0.9.23. This pkg has no one maintainer, so assigning this update globally.
Assignee: bugsquad => pkg-bugsStatus comment: (none) => Looks to be fixed by xrdp v0.9.23
Suggested advisory: ======================== The updated packages fix a security vulnerability: In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. (CVE-2023-40184) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40184 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SOT237TIHTHPX5YNIWLVNINOEYC7WMG2/ ======================== Updated packages in {8|9}/core/updates_testing: ======================== xrdp-0.9.23-1.mga{8|9} xrdp-devel-0.9.23-1.mga{8|9} from SRPM: xrdp-0.9.23-1.mga{8|9}.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 9Status comment: Looks to be fixed by xrdp v0.9.23 => (none)Assignee: pkg-bugs => nicolas.salgueroWhiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: nicolas.salguero => qa-bugs
MGA8-64 Xfce on Acer Aspire 5253 No installation issues Ref bug 31309 Comment 8 for testing: On this laptop: # systemctl start xrdp # systemctl start xrdp-sesman.service # systemctl status xrdp ● xrdp.service - xrdp daemon Loaded: loaded (/usr/lib/systemd/system/xrdp.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2023-09-19 16:06:11 CEST; 33s ago Docs: man:xrdp(8) man:xrdp.ini(5) Main PID: 19141 (xrdp) Tasks: 1 (limit: 4364) Memory: 1.0M CPU: 26ms CGroup: /system.slice/xrdp.service └─19141 /usr/sbin/xrdp --nodaemon Sep 19 16:06:11 mach7.hviaene.thuis systemd[1]: Started xrdp daemon. Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] starting xrdp with pid 19141 Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] address [0.0.0.0] port [3389] mode 1 Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] listening to port 3389 on 0.0.0.0 Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] xrdp_listen_pp done Then opened port tcp/3389 in MCC On desktop PC (which already had freerdp installed) entered the command: xfreerdp /v:mach7 /u:<userid> /p:<passwd> Then after allowing the certificate, the desktop opened and was able to open caja and browse the files of the user on the laptop. Looks OK to me.
CC: (none) => herman.viaeneWhiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => mageia
Mageia9, x86_64 Followed Herman's lead on this. Checked that xrdp worked OK before updating - needed to install several things. Updated via qarepo and ran the test again. Two desktops side-by-side, sirius and antares. Port 3389 open at both ends. xrdp service restarted on one side. On antares ran $ xfreerdp /v:sirius /u:<user> /p:<password> /f which brought up a fullscreen Plasma session with a user terminal. Ran a local sirius calendar application from there. It was very responsive. Only thing to note was that the calendar background image looked washed out. Could not figure out how to close down and not being familiar with Plasma hit the closedown button which actually closed down the remote host - oops. Restarted everything and closed down the remote desktop window on antares by stopping the server on sirius. That is a warning not to use fullscreen. Anyway, it seems to be working on mga9.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OKCC: (none) => tarazed25
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs