Bug#1076769: marked as done (xrdp: CVE-2024-39917)

Debian Bug Tracking System Tue, 13 Aug 2024 01:39:20 -0700

Your message dated Tue, 13 Aug 2024 10:36:36 +0200
with message-id <92b71e0f0a99709d855be69e18012...@phys.ethz.ch>
and subject line xrdp: CVE-2024-39917
has caused the Debian Bug report #1076769,
regarding xrdp: CVE-2024-39917
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1076769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: xrdp
Version: 0.10.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for xrdp.

CVE-2024-39917[0]:
| xrdp is an open source RDP server. xrdp versions prior to 0.10.0
| have a vulnerability that allows attackers to make an infinite
| number of login attempts. The number of max login attempts is
| supposed to be  limited by a configuration parameter `MaxLoginRetry`
| in `/etc/xrdp/sesman.ini`. However, this mechanism was not
| effectively working. As a result, xrdp allows an infinite number of
| login attempts.

Please note, that while the description says prior to 0.10.0 I do not
see the referenced commit in 0.10.0. But I might be wrong, so please
double-check my claim that it is yet unfixed.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-39917
    https://www.cve.org/CVERecord?id=CVE-2024-39917
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
[2] 
https://github.com/neutrinolabs/xrdp/commit/8ac2f6db34649a93d3c9c4fe8fda61203702e615

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---
Package: xrdp
Version: 0.10.1-1
this bug has been closed by the latest sid upload, unfortunately thed/changelog
does not mention the CVE, CVE-2024-39917

add it retrospectively to debian/changelog in a future upload

detail
0.10.1https://github.com/neutrinolabs/xrdp/commit/61b509f1d5d9b85128504c7b752e6e36d7b60b15
--- End Message ---

Bug#1076769: marked as done (xrdp: CVE-2024-39917)

Reply via email to