Your message dated Sun, 01 Feb 2026 16:18:35 +0000
with message-id <[email protected]>
and subject line Bug#1126537: fixed in xrdp 0.10.5-1
has caused the Debian Bug report #1126537,
regarding xrdp: CVE-2025-68670: Improper bounds checking of domain string
length leads to Stack-based Buffer Overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126537
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xrdp
Version: 0.10.1-3.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xrdp.
CVE-2025-68670[0]:
| xrdp is an open source RDP server. xrdp before v0.10.5 contains an
| unauthenticated stack-based buffer overflow vulnerability. The issue
| stems from improper bounds checking when processing user domain
| information during the connection sequence. If exploited, the
| vulnerability could allow remote attackers to execute arbitrary code
| on the target system. The vulnerability allows an attacker to
| overwrite the stack buffer and the return address, which could
| theoretically be used to redirect the execution flow. The impact of
| this vulnerability is lessened if a compiler flag has been used to
| build the xrdp executable with stack canary protection. If this is
| the case, a second vulnerability would need to be used to leak the
| stack canary value. Upgrade to version 0.10.5 to receive a patch.
| Additionally, do not rely on stack canary protection on production
| systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68670
https://www.cve.org/CVERecord?id=CVE-2025-68670
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f
[2]
https://github.com/neutrinolabs/xrdp/commit/0d6964415ac31f8240ed894de1ff626bf4683eac
(v0.10.5)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xrdp
Source-Version: 0.10.5-1
Done: Alex Myczko <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alex Myczko <[email protected]> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 30 Jan 2026 15:58:54 +0100
Source: xrdp
Architecture: source
Version: 0.10.5-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Alex Myczko <[email protected]>
Closes: 1126537
Changes:
xrdp (0.10.5-1) experimental; urgency=medium
.
* New upstream version. (Closes: #1126537) (CVE-2025-68670)
* d/control: drop Rules-Requires-Root.
* Bump standards version to 4.7.2.
* d/copyright: bump years.
* d/watch: update to version 5.
Checksums-Sha1:
13a5bbd6ea084392d64fe6641b9101a9f071a500 2248 xrdp_0.10.5-1.dsc
54b25d043ed8a960877474b13d8764c99c994c5e 2489216 xrdp_0.10.5.orig.tar.gz
bd619fd0d665974e0002b3d59b16aba4c4deb421 37740 xrdp_0.10.5-1.debian.tar.xz
cae2d01c17ce6a97057ffa771eac600eec5338a8 7587 xrdp_0.10.5-1_source.buildinfo
Checksums-Sha256:
ca7529afa6dd3b37e5b347b0729d661aab0636437eeb0a264dc57662028faa1d 2248
xrdp_0.10.5-1.dsc
9abc96d164de4b1c40e2f3f537d0593d052a640cf3388978c133715ea69fb123 2489216
xrdp_0.10.5.orig.tar.gz
e277d5d8983741b509b1255464e5756d20690a150cce7d303d7261507107bee5 37740
xrdp_0.10.5-1.debian.tar.xz
8ab5881084bb742c2b416fc3b1a828c227859891ca33fe2bf53497c69f94150b 7587
xrdp_0.10.5-1_source.buildinfo
Files:
15889de301a7389ea2c3d8ce0933fb84 2248 net optional xrdp_0.10.5-1.dsc
0c57dc0933d25b6c41a579e80508af29 2489216 net optional xrdp_0.10.5.orig.tar.gz
26eb458b030466e8bb837711581f1e9a 37740 net optional xrdp_0.10.5-1.debian.tar.xz
5e64cf062508b3abe096f8f1d70fdf13 7587 net optional
xrdp_0.10.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAml/eu8ACgkQEWhSvN91
FcCLBA//ZppUiyjBHx8rrDeTeoIVaUNHEGpNE/wYBB3Ei3MTrvk+hKaARYytpx0g
UYhVu3yTqhs0kfXxA5XxZvdsLh4nY13GCWRnAK7Hp2547o/5/7mq/yAI5Zu0e1TH
ktbJc1ovwlUY6Br5MpSoY7yoijWJM7EtkMmK+gh8ZrvlTTsKWUf/eJ9acRwdO7QO
sxLrkFBKDxbTYyN6agvuhvMp2wD1ncVAFZWpOBvG4E+HPGjlAToo5wOszvbx9gNn
wG2OmD/vWbmsF03mG5NMxEHaeMuQEgJ2ta/V9OUFUvmsJ8IETGWcriHMUBMtio/l
Gl3yON/f/PzvSoX+yTQiOqjdb7eRT2aUh9/bP5LwlwHb6B0RS3oeUlOfHcEDsSLK
1WR0BPjf5KopivP1PAUkb/Hvv3TiCnDKOr1xn5GYsJcztMdblaw+0ar2f5WbpGo/
u1v7DOOSxdSvtM1fnN7M39uHp8zybGcfjSgL3Gx1vYVPBzWzW8ZLfH4gE2S9A98r
/vWtLSYVHFso7J9pCk8z3M/6NS30J1s96UjyxwfErA5olVHV1WSCIbBxUAbEKdlz
f9PnwCXnx2EteXcethRd/NkAokQ5MNEX9lTUntYk3a5HNHiCGEnab9+lAcydd/VX
O5DxG+ggxoty4S+WXkNQWdDD1EzZBarvAHAw8+yXDHOibnV2ofk=
=NRAv
-----END PGP SIGNATURE-----
pgpI_7YKTLqyK.pgp
Description: PGP signature
--- End Message ---
