Your message dated Mon, 24 Apr 2017 19:04:50 +0000
with message-id <[email protected]>
and subject line Bug#858143: fixed in xrdp 0.9.1-8
has caused the Debian Bug report #858143,
regarding xrdp: CVE-2017-6967: incorrect placement of auth_start_session()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858143: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858143
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xrdp
Version: 0.9.1-7
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/neutrinolabs/xrdp/issues/350
Hi,
the following vulnerability was published for xrdp.
CVE-2017-6967[0]:
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect
| location, leading to PAM session modules not being properly
| initialized, with a potential consequence of incorrect configurations
| or elevation of privileges, aka a pam_limits.so bypass.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6967
[1] http://www.openwall.com/lists/oss-security/2017/03/18/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xrdp
Source-Version: 0.9.1-8
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <[email protected]> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 24 Apr 2017 20:14:36 +0200
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source
Version: 0.9.1-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Dominik George <[email protected]>
Description:
xorgxrdp - Remote Desktop Protocol (RDP) modules for X.org
xrdp - Remote Desktop Protocol (RDP) server
Closes: 855536 858143
Changes:
xrdp (0.9.1-8) unstable; urgency=medium
.
* Fix CVE-2017-6967. (Closes: #858143, #855536)
Checksums-Sha1:
95ec24ee5676d0d787ea84adc9a2a3f46a6f6c65 2635 xrdp_0.9.1-8.dsc
6530007cfe2c9af4a83a9817d7031995c903d66c 27848 xrdp_0.9.1-8.debian.tar.xz
69e2e435fa647bc663b5574fd01eab44899e0856 10053 xrdp_0.9.1-8_source.buildinfo
Checksums-Sha256:
5863b3ca472b62525670dab94813f558cb0395c7320d454e790ad5053d3b66fe 2635
xrdp_0.9.1-8.dsc
8264bbb4c3e4fbcb855cd528c1c0a2a099c969aed5948097a4228e5e7aa789e6 27848
xrdp_0.9.1-8.debian.tar.xz
882da959a5507201d29ed89c5bd2a7433ad0435789c9b2f9a11347a00a72efc4 10053
xrdp_0.9.1-8_source.buildinfo
Files:
f6f38927d74a013fe4b5e6d03a7921d5 2635 net optional xrdp_0.9.1-8.dsc
021837e442c8220d7b9a97a7e8d570ae 27848 net optional xrdp_0.9.1-8.debian.tar.xz
5668a9d356050cffbf1bf7da39f50770 10053 net optional
xrdp_0.9.1-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlj+RjsxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylgUxD/9yqfUApAzzbsWP0yVvql9h1dRuv5b+YWGLSmpRXlEl3g8ovNzvMUlf
Q1MGfxF/LDirgl3EBrXTQ+GGDuVteJLgQGLqdsU0rHigDhpec//1Z9lea3JG26f+
8lhy3v0AYJE5zJSspmqWetxgYmuPb25CMGAEuW/de3FXSTMeznFFT1CLCJUlT11+
DFBkzbTXeS3rue08coE80jVpGaMMubWKf3lhBWL+7L5tHwlxvcrui1nc04BeI3i+
sJmKCfdwx6t4U91J/AjMjnj7MUxTGapEbJJLtBRIyUYkgJNX6uV+LZRaG5rVpS5W
aLxdTBvbZWYEYM6dKSsKqxvB7sp33QrqdHzP50iFCDjoIE2zEP3UFMQOlWedklfU
aeD7Ap3Adx3lgjE6rRYxQWiCqGLeFyIyGKtwkJHVOkbzi4QAfPvFQInZlu15xQ9b
Y7c/y+9u+mfKQYlkBH6dWwwN5c2OtgjoQ1VujyRiQSCkeZbTMttC0HB/7Z9BMzUT
mLDRwyZqd2wvW29zo/KG4N7kE2PJ+D8XLJ+og4LcqVgj5ZUx3SvyVi/MLMc/6Gpb
JoRCQQzmfyitZ82IL6J42OjCTdt3yVSUhSJTNb1xU2PnQwFHBSbo85Py3KN34+Xd
fqb21zKSaPoKOdYE5vEhm1gs9eycyRYiUqzDVAWs9ywas9GekX5x0A==
=h1r5
-----END PGP SIGNATURE-----
--- End Message ---
