Your message dated Sun, 08 Feb 2026 12:48:08 +0000
with message-id <[email protected]>
and subject line Bug#1126537: fixed in xrdp 0.9.21.1-1+deb12u2
has caused the Debian Bug report #1126537,
regarding xrdp: CVE-2025-68670: Improper bounds checking of domain string
length leads to Stack-based Buffer Overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126537
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xrdp
Version: 0.10.1-3.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xrdp.
CVE-2025-68670[0]:
| xrdp is an open source RDP server. xrdp before v0.10.5 contains an
| unauthenticated stack-based buffer overflow vulnerability. The issue
| stems from improper bounds checking when processing user domain
| information during the connection sequence. If exploited, the
| vulnerability could allow remote attackers to execute arbitrary code
| on the target system. The vulnerability allows an attacker to
| overwrite the stack buffer and the return address, which could
| theoretically be used to redirect the execution flow. The impact of
| this vulnerability is lessened if a compiler flag has been used to
| build the xrdp executable with stack canary protection. If this is
| the case, a second vulnerability would need to be used to leak the
| stack canary value. Upgrade to version 0.10.5 to receive a patch.
| Additionally, do not rely on stack canary protection on production
| systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68670
https://www.cve.org/CVERecord?id=CVE-2025-68670
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f
[2]
https://github.com/neutrinolabs/xrdp/commit/0d6964415ac31f8240ed894de1ff626bf4683eac
(v0.10.5)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xrdp
Source-Version: 0.9.21.1-1+deb12u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Feb 2026 13:27:53 +0100
Source: xrdp
Architecture: source
Version: 0.9.21.1-1+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1126537
Changes:
xrdp (0.9.21.1-1+deb12u2) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2025-68670: Buffer overflow parsing domain (Closes: #1126537)
Checksums-Sha1:
b31c826c667d097208fb3a7c695ed64175409eca 2422 xrdp_0.9.21.1-1+deb12u2.dsc
722bc19b691fff23e0f24548dce80df99ba5628c 2053402 xrdp_0.9.21.1.orig.tar.gz
c712501ab6e777130b67d9e3c04ee86ad6800cc4 28108
xrdp_0.9.21.1-1+deb12u2.debian.tar.xz
cf4ab72747695501849a4e869db93f6d7ce44515 6405
xrdp_0.9.21.1-1+deb12u2_source.buildinfo
Checksums-Sha256:
2cb98b720979aab3bf0562650740c74866afc0bbddf4c26b9da93634a4971bdf 2422
xrdp_0.9.21.1-1+deb12u2.dsc
7c6c42dce7d3201efe4481e0d388e00094bf8f15224ddad9e47b402a672e08e3 2053402
xrdp_0.9.21.1.orig.tar.gz
782fa7da0411e6a6140c26cfb32411f26f737429fc31f45d4b90492df6662fd8 28108
xrdp_0.9.21.1-1+deb12u2.debian.tar.xz
dbc019f713f1efcf01f95def81c6e6e96f5384ee638c5da639a1e84f25b5b4c8 6405
xrdp_0.9.21.1-1+deb12u2_source.buildinfo
Files:
15bd6e5e6e5641a93337e97300047171 2422 net optional xrdp_0.9.21.1-1+deb12u2.dsc
32a4b1589f051fc69cde698f7225e095 2053402 net optional xrdp_0.9.21.1.orig.tar.gz
4e01a4ab846b7968aff3fd85e04a4442 28108 net optional
xrdp_0.9.21.1-1+deb12u2.debian.tar.xz
53948c99f338a3ab1683a71ed5777363 6405 net optional
xrdp_0.9.21.1-1+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmmCFLBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EV1kP/iHSk1erAIHJbwXKcTblzBLC9b+Ucwiw
bqoRDGL3j/uzmjfobbf+IhAzDTwdV2Z58wCf640D8uuoa2a5P47vZ3MOgdOewI2j
QIX5bX8GRTfMYyX4kkJ9nMVYrah4ad0yblS1fNIqIJ1ZRUDIm195gjv4x/6xerqT
I8kK1DFZWQEnEPtOLYrSqcIsNp6eylbOrs023guokd3bUnZoW9CB7RiIYTBnq6hr
XGnHiI8UPIcFHIAbuj34Y51o8CO5Bj+sUwsGOzRZHGcA8WdKiQALNiAIzJO1nZ04
iW438ISYfPOxkJGuORG5dbK7qGfPU7nxViI8DnvCCVhcuEdqwcXLXLX+VIUiAl2I
iHqQIwQtFjcC35Gm7Skq2tFB7cOyHBZSfjt/fmWQ/elf6moLwhfjctNbyXBZM1ls
lA6j65iLiK0jeOvOi5uSyDlzUzxz3y74Ljas7Fr8lsQmT4oyeU+mEtX81UY3iDQa
Xn3jqsGTqdclseUUoZWl0/Z2BikAsyLRWN2lrD68+fmNDFSa8/0o0CaylVBhxz8V
HaB7zwkIg+ORC8UVtajoccYoYwyDTurEy9Qoc2onZZuaUfW0RI/dmRyn6giTOVgD
NmEEiydeAQnIQf7josUWKVq77dAat6USzroPvGQufBfKaLEtqKpmPR9gg6CcOcl8
LY3c3LocgUMf
=9Bya
-----END PGP SIGNATURE-----
pgpTq5fMUy47i.pgp
Description: PGP signature
--- End Message ---
