SUSE-SU-2020:1991-1

Опубликовано: 21 июл. 2020

Источник: suse-cvrf

Описание

Security update for xrdp

This update for xrdp fixes the following issues:

Security fixes (bsc#1173580, CVE-2020-4044):
- Add patches:
  - xrdp-cve-2020-4044-fix-0.patch
  - xrdp-cve-2020-4044-fix-1.patch
- Rebase SLE patch:
  - xrdp-fate318398-change-expired-password.patch
Update patch:
- xrdp-Allow-sessions-with-32-bpp.patch.patch

Список пакетов

HPE Helion OpenStack 8

xrdp-0.9.0~git.1456906198.f422461-21.27.1

Image SLES12-SP4-SAP-Azure-LI-BYOS-Production

xrdp-0.9.0~git.1456906198.f422461-21.27.1

Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Enterprise Storage 5

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Linux Enterprise Server 12 SP3-BCL

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Linux Enterprise Server 12 SP3-LTSS

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Linux Enterprise Server 12 SP4-LTSS

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Linux Enterprise Server for SAP Applications 12 SP3

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Linux Enterprise Server for SAP Applications 12 SP4

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE OpenStack Cloud 8

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE OpenStack Cloud 9

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE OpenStack Cloud Crowbar 8

xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE OpenStack Cloud Crowbar 9

xrdp-0.9.0~git.1456906198.f422461-21.27.1

Ссылки

https://www.suse.com/support/update/announcement/2020/suse-su-20201991-1/
Link for SUSE-SU-2020:1991-1
https://lists.suse.com/pipermail/sle-security-updates/2020-July/007166.html
E-Mail link for SUSE-SU-2020:1991-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1173580
SUSE Bug 1173580
https://www.suse.com/security/cve/CVE-2020-4044/
SUSE CVE CVE-2020-4044 page

Описание

The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.

Затронутые продукты

HPE Helion OpenStack 8:xrdp-0.9.0~git.1456906198.f422461-21.27.1

Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:xrdp-0.9.0~git.1456906198.f422461-21.27.1

Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:xrdp-0.9.0~git.1456906198.f422461-21.27.1

SUSE Enterprise Storage 5:xrdp-0.9.0~git.1456906198.f422461-21.27.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-4044.html
CVE-2020-4044
https://bugzilla.suse.com/1173580
SUSE Bug 1173580

SUSE-SU-2020:1991-1

Описание

Список пакетов

HPE Helion OpenStack 8

Image SLES12-SP4-SAP-Azure-LI-BYOS-Production

Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production

SUSE Enterprise Storage 5

SUSE Linux Enterprise Server 12 SP3-BCL

SUSE Linux Enterprise Server 12 SP3-LTSS

SUSE Linux Enterprise Server 12 SP4-LTSS

SUSE Linux Enterprise Server for SAP Applications 12 SP3

SUSE Linux Enterprise Server for SAP Applications 12 SP4

SUSE OpenStack Cloud 8

SUSE OpenStack Cloud 9

SUSE OpenStack Cloud Crowbar 8

SUSE OpenStack Cloud Crowbar 9

Ссылки

Уязвимость: CVE-2020-4044

Описание

Затронутые продукты

Ссылки