Your message dated Mon, 02 Feb 2026 10:34:33 +0000
with message-id <[email protected]>
and subject line Bug#1126537: fixed in xrdp 0.10.1-4.1
has caused the Debian Bug report #1126537,
regarding xrdp: CVE-2025-68670: Improper bounds checking of domain string
length leads to Stack-based Buffer Overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126537
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xrdp
Version: 0.10.1-3.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xrdp.
CVE-2025-68670[0]:
| xrdp is an open source RDP server. xrdp before v0.10.5 contains an
| unauthenticated stack-based buffer overflow vulnerability. The issue
| stems from improper bounds checking when processing user domain
| information during the connection sequence. If exploited, the
| vulnerability could allow remote attackers to execute arbitrary code
| on the target system. The vulnerability allows an attacker to
| overwrite the stack buffer and the return address, which could
| theoretically be used to redirect the execution flow. The impact of
| this vulnerability is lessened if a compiler flag has been used to
| build the xrdp executable with stack canary protection. If this is
| the case, a second vulnerability would need to be used to leak the
| stack canary value. Upgrade to version 0.10.5 to receive a patch.
| Additionally, do not rely on stack canary protection on production
| systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68670
https://www.cve.org/CVERecord?id=CVE-2025-68670
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f
[2]
https://github.com/neutrinolabs/xrdp/commit/0d6964415ac31f8240ed894de1ff626bf4683eac
(v0.10.5)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xrdp
Source-Version: 0.10.1-4.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 31 Jan 2026 20:39:32 +0100
Source: xrdp
Architecture: source
Version: 0.10.1-4.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1126537
Changes:
xrdp (0.10.1-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-68670: Buffer overflow parsing domain (Closes: #1126537)
Checksums-Sha1:
5e5c38c7d6dd1ab3bb8bebb7c9cc1acb30e01203 2387 xrdp_0.10.1-4.1.dsc
37fe03fda2b9d6298cc24a2b4900031f5aaa7576 38740 xrdp_0.10.1-4.1.debian.tar.xz
d962a3379a60de3c9c4be11585c1b88eab9d07d7 6302 xrdp_0.10.1-4.1_source.buildinfo
Checksums-Sha256:
30c89c1562efc749da40d866957b02bedb4c4e0e5344d1cd7468b81204cd8512 2387
xrdp_0.10.1-4.1.dsc
81cfa84db128c4c8aad44f90888c0f699a7204f8c1d0222a6d46bc136a1acefc 38740
xrdp_0.10.1-4.1.debian.tar.xz
ea7b3e751535b4ba6c3c8206797a07b81db39d8dbf6cfb9193da3033446bb318 6302
xrdp_0.10.1-4.1_source.buildinfo
Files:
c638d176fa8865688f53227b37323a0c 2387 net optional xrdp_0.10.1-4.1.dsc
01b716a48593cf3d07451bccc1b11af8 38740 net optional
xrdp_0.10.1-4.1.debian.tar.xz
6334b631d550b303ca8ed7fa79a590ac 6302 net optional
xrdp_0.10.1-4.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAml+ZydfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ef/EP/iqTsc3u8hYyF3h5EFINWg3moRYVIr1g
EQWZqwcQsw3xmxJTs99/DTcnP8TCki8pHE0bE8cqQ8Tv7wFG3rLERr8KsHidjmFF
TCb7DMC33zWzGkstH3hYg6xRfvrN3KplSpqu3md02SQkK6dsbDc4kbHqHVB0VeSL
ksXUWwQUjwpBbAspen6spBtwr3pL5a1siExcq23fyoR28hD9kNCcC1jxFU2Pe43z
U5XuULe6SAlVyWf7zxo3k14DnMgNp5l0DDW8ohJLGIv1EOMUooFwaf4QX/RdXC/W
y+h0sRMhS1dn3EJe171sblb9fG5To904FCqY9DazoPifqxnVj8rtB0aOsb8LkPG6
qzRPXb95punr6GIZGv5d0wm0GSIZztdyI/B1EWY4hDJr3WWnBfjEDH18Kf4bIUFH
u2e1OkXHuirMfHapUNMYcDOmnC+F+N2Szx47aa/mxhWaqaxZktP1M00b+YX/f06e
Y9BDHGyz4Pg1RLaN6h6Ilps8MUMbpvJjBGXOFhnuBfq1zSAUAA903/mT6kc8o31Z
q7KmeDZ4CVl7WOt+MFj62QGTwvmgtJxXVRUjFC+nETMQG+Saw4XnhAFnFUf1HuWd
ORByNy4J8Po92I/a+CzTmzNKo6kqoLoJ1SnNZDpOExzBOQ2vKoa8z/OJmCwbVbbG
LqDvWXubT2V0
=Tb/J
-----END PGP SIGNATURE-----
pgpJYlFTmSfYi.pgp
Description: PGP signature
--- End Message ---
