Your message dated Thu, 04 May 2017 17:18:35 +0000
with message-id <[email protected]>
and subject line Bug#858143: fixed in xrdp 0.9.1-9
has caused the Debian Bug report #858143,
regarding xrdp: CVE-2017-6967: incorrect placement of auth_start_session()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858143: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858143
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xrdp
Version: 0.9.1-7
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/neutrinolabs/xrdp/issues/350
Hi,
the following vulnerability was published for xrdp.
CVE-2017-6967[0]:
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect
| location, leading to PAM session modules not being properly
| initialized, with a potential consequence of incorrect configurations
| or elevation of privileges, aka a pam_limits.so bypass.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6967
[1] http://www.openwall.com/lists/oss-security/2017/03/18/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xrdp
Source-Version: 0.9.1-9
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <[email protected]> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 04 May 2017 18:59:10 +0200
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source
Version: 0.9.1-9
Distribution: unstable
Urgency: high
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Dominik George <[email protected]>
Description:
xorgxrdp - Remote Desktop Protocol (RDP) modules for X.org
xrdp - Remote Desktop Protocol (RDP) server
Closes: 858143
Changes:
xrdp (0.9.1-9) unstable; urgency=high
.
* Revisit incomplete fix for CVE-2017-6967. (Closes: #858143)
Checksums-Sha1:
13c09c7686d96bb82a27016b071812db846a0c7c 2639 xrdp_0.9.1-9.dsc
020b98f0da4e40a6a24956c92c47e664c5ad54f3 28236 xrdp_0.9.1-9.debian.tar.xz
a627f65dac780e31ce964045c9d850cb10ca6ca9 10079 xrdp_0.9.1-9_source.buildinfo
Checksums-Sha256:
d28cee58d217672d41f7a74a136d36fd78e14479a4a950fbad7113a33e969abf 2639
xrdp_0.9.1-9.dsc
e8680338c2f2eb3766200caac258c64f905c6384622cbab7755647f8fcf6c7a1 28236
xrdp_0.9.1-9.debian.tar.xz
ebe6ed513de1d60bceb981482a29ed93081117ec105c4efd8baab3366f363ae3 10079
xrdp_0.9.1-9_source.buildinfo
Files:
1618eb49f6beebcea301dcc696761587 2639 net optional xrdp_0.9.1-9.dsc
e88ffc91606bad2a4fe68556803c690a 28236 net optional xrdp_0.9.1-9.debian.tar.xz
28e52667561c0f6b6ee2ce429548d168 10079 net optional
xrdp_0.9.1-9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlkLX30xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyljpzD/9YRM/XowDaanhnqhkpH9+gOrqeIuOR2712kdP2/u1v0KIRPglkEIJ6
SZ3u8fQqYommZfGSm+f4Twlk+Jz3iH5LD9N4NYbo1/5QRHPWyzKiKhblckT6RB2k
gLgYnvJiTeE8GOObfsskzoCdDmg0Oq8niEvnazqX1aBfcAxoVh5EJg6n/K9eak1o
2mYA2PxJJGN6OI+HeCDb/9IOuE0lp6Zn4A5lnKEJaLbmdyM+ewgtCn5lvP/Rt1Tu
Uv8LYSwyWGUNKW7VpcWlJtQnmQyp6ejmFWXmfjbgxscUU/4HdKfIBbOkT1r/XOmU
1fZEkFjbe1PLD7egM72nEfLLtw8UiffRpTGgH8i7K2lfc63YUdkXug5Zq4rVou6a
derPS37pCfDFVA3IZRgAqKkslAA8/xNn2I6MJecJMSuyDMLbqEGndgzwbcHGdJCx
wIcPdoENJftKb2K0B2LJS5TberYt54bE/xTlrwbOfEXSmWZ+tuR5xJU8eMn0Ruza
TkuQ/Gfvt6ZaOuH9rVwiXSJXtii1mdlRPm7FHFA5tChxl6rCBfGlfTOW5ysDv/dp
WlSIPQ96PQ2zxP2+g66yhjbZBUKwTFQqO83mx7+uPL+Eg3Ce3H5r3wr8sasiWrY/
jJ74paSnRo90HE3DBvUnkS37zJ3TbKYez1a0sUose2xD65O0J0tSDQ==
=HP7g
-----END PGP SIGNATURE-----
--- End Message ---
