Описание
Security update for xrdp
This update for xrdp fixes the following issues:
- CVE-2023-40184: Fixed restriction bypass via improper session handling (bsc#1214805).
Список пакетов
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
xrdp-0.9.10-3.11.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
xrdp-0.9.10-3.11.1
SUSE Linux Enterprise Server 12 SP5
xrdp-0.9.10-3.11.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
xrdp-0.9.10-3.11.1
Ссылки
- Link for SUSE-SU-2023:3735-1
- E-Mail link for SUSE-SU-2023:3735-1
- SUSE Security Ratings
- SUSE Bug 1214805
- SUSE CVE CVE-2023-40184 page
Описание
xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.
Затронутые продукты
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:xrdp-0.9.10-3.11.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:xrdp-0.9.10-3.11.1
SUSE Linux Enterprise Server 12 SP5:xrdp-0.9.10-3.11.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5:xrdp-0.9.10-3.11.1
Ссылки
- CVE-2023-40184
- SUSE Bug 1214805