Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1906 xrdp security update 3 April 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xrdp Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-23482 CVE-2022-23481 CVE-2022-23480 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/03/msg00031.html Comment: CVSS (Max): 9.8 CVE-2022-23480 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3375-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb March 31, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : xrdp Version : 0.9.9-1+deb10u3 CVE IDs : CVE-2022-23480 CVE-2022-23481 CVE-2022-23482 Debian Bug : 1025879 It was discovered that there were a number of vulnerabilies in the xrdp Remote Desktop Protocol (RDP) server: * CVE-2022-23480: Prevent a series of potential buffer overflow vulnerabilities in the devredir_proc_client_devlist_announce_req() function. * CVE-2022-23481: Fix an out-of-bounds read vulnerability in the xrdp_caps_process_confirm_active() function. * CVE-2022-23482: Fix an out-of-bounds read vulnerability in the xrdp_sec_process_mcs_data_CS_CORE() function. For Debian 10 buster, these problems have been fixed in version 0.9.9-1+deb10u3. We recommend that you upgrade your xrdp packages. For the detailed security status of xrdp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xrdp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmQm1dsACgkQHpU+J9Qx HljlcRAAtl6O9oCk8zzqPWgTC5H+I6/Ro+FW8UNEdLlVBa/tenj3TADFr30faeJZ vhqUCFx0ncaZRkmnNvT8Tyhi56E/NSFF8qCag7bnq0QrOAF24Ao/0y34K/vMXbTd P3xJnD8cbJws0TOwiKCUU5pRPxeRK+bZlvZy5TFs5VggU7p4u+obRZrsavgS0dbG xW8MF4UFvAG1g+N34VExzY5T/t9vG/xJjnV662az+h/xSdDuCzup8RGpa1Kvh+5H FmLZUY7J3DJTehKP2bp1kuOPEkYy2i6xB8AklqCpnh9QdR7ECo6VzH945tz4p9u4 qbEow4joMmtykvhMs+imOIf4AoOulpbi6EZnZ3fGO1zXjAH4EaSB+YCnG2VOnp1q 7LrOx0aQ1e5GA3EaEWrXaeh0zMc2c9L7xDA7D8lgHuV3RsqATp3KsOiEH6WF81rt NugP87L4X802FudOi7Hzf23+ToMsX/ofzQl2NVHE9QI8fw85KhEWlz4OmXfAcXrR 9z5FSKb+bpL1hCYokB2tv7Ey8UAsZeE2RNUvPgpdLcZ8MOqtUXVexghSh9lPQ+js N5lPBz2pu3OdtefIZU2bZfd5ZQLjI8gqfS9Y1TOXLrirh6kYgn0SjGiteQFKuod4 ym04jEuzJpicFqH03vgIYVN6EI2+/yUKdNKnZKQqSiIvDNIvu/8= =uBP0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZCon8MkNZI30y1K9AQhEFA//S9Y8aQrlMZYnls7ywW8oaGgg5YlUlUGl epN5Rp8kp70BnYEtVsS/vs+jBqKZV/trCBaU7Po0dbEXKkejeNi60w/mCBRrYIEs I5MArdkiJs1QsIcLFmaR7rrzvS8Tqr5fVfemG5yITOAOzzw13NlrKoa2bYs8gPE7 9L7Pun02bkCVkUdiEaIJ1LYTHyP0UR3oABoIPYpOt8zbi+tApRQVUMsYcbqn4mUk 6bmiwcWEGB9yAI6+03yr0vGkne++Q8LB1s9jiiZL4BxHsf3n7/ceBrGGZJTTpgwP p7J5tHyxQqoq14q8rTgBg9EyAUOebEdwTZMzrjB690Uv7xqajhKCnmKtI0WJ4txW QhklJdovtxwiypuHG7DBgHlsAgW3qgUIDKZV6EzLXy0JPgu1ck2RIqoe5wQMzu2T woqPxWPKF3e0RpTZADRxfl8qUx6khmhTp5GiY76b5B3bqpkcCuFkbwbrX7d826SA lXgnbirVmF0a6fvltbEPz4b9wa+1Asnok6OfWOmn70mYmmmQTtGwIywvj8QmojdM nKXXmC3cCmu7T5e5Qj0m813vyWuqmXfmxltrl9RHzCgN+WdJXlab2EWZxUGEuRBS 8P2qKCvWKfArzJWQeZLAP9n75hgNTXUdNAV3pW4CX7T4o0I70SahICr4BiHNcuW6 HUYxGAEN3y4= =Jcvw -----END PGP SIGNATURE-----