Source: xrdp Version: 0.10.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for xrdp. CVE-2024-39917[0]: | xrdp is an open source RDP server. xrdp versions prior to 0.10.0 | have a vulnerability that allows attackers to make an infinite | number of login attempts. The number of max login attempts is | supposed to be limited by a configuration parameter `MaxLoginRetry` | in `/etc/xrdp/sesman.ini`. However, this mechanism was not | effectively working. As a result, xrdp allows an infinite number of | login attempts. Please note, that while the description says prior to 0.10.0 I do not see the referenced commit in 0.10.0. But I might be wrong, so please double-check my claim that it is yet unfixed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39917 https://www.cve.org/CVERecord?id=CVE-2024-39917 [1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j [2] https://github.com/neutrinolabs/xrdp/commit/8ac2f6db34649a93d3c9c4fe8fda61203702e615 Please adjust the affected versions in the BTS as needed. Regards, Salvatore