Your message dated Sun, 08 Feb 2026 12:47:06 +0000
with message-id <[email protected]>
and subject line Bug#1126537: fixed in xrdp 0.10.1-3.1+deb13u1
has caused the Debian Bug report #1126537,
regarding xrdp: CVE-2025-68670: Improper bounds checking of domain string
length leads to Stack-based Buffer Overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126537
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xrdp
Version: 0.10.1-3.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for xrdp.
CVE-2025-68670[0]:
| xrdp is an open source RDP server. xrdp before v0.10.5 contains an
| unauthenticated stack-based buffer overflow vulnerability. The issue
| stems from improper bounds checking when processing user domain
| information during the connection sequence. If exploited, the
| vulnerability could allow remote attackers to execute arbitrary code
| on the target system. The vulnerability allows an attacker to
| overwrite the stack buffer and the return address, which could
| theoretically be used to redirect the execution flow. The impact of
| this vulnerability is lessened if a compiler flag has been used to
| build the xrdp executable with stack canary protection. If this is
| the case, a second vulnerability would need to be used to leak the
| stack canary value. Upgrade to version 0.10.5 to receive a patch.
| Additionally, do not rely on stack canary protection on production
| systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68670
https://www.cve.org/CVERecord?id=CVE-2025-68670
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f
[2]
https://github.com/neutrinolabs/xrdp/commit/0d6964415ac31f8240ed894de1ff626bf4683eac
(v0.10.5)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xrdp
Source-Version: 0.10.1-3.1+deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Feb 2026 07:09:05 +0100
Source: xrdp
Architecture: source
Version: 0.10.1-3.1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1126537
Changes:
xrdp (0.10.1-3.1+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2025-68670: Buffer overflow parsing domain (Closes: #1126537)
Checksums-Sha1:
75a0cb087c713034c1af328730f1112dfe227848 2444 xrdp_0.10.1-3.1+deb13u1.dsc
4ee4b587fdea7dca399be3a25d93f746825e7053 2402893 xrdp_0.10.1.orig.tar.gz
b518cfe060ef8e03d6898851835802333706304a 38752
xrdp_0.10.1-3.1+deb13u1.debian.tar.xz
37c7a32e3b0ec776670d5d1a263c5debdd158048 6334
xrdp_0.10.1-3.1+deb13u1_source.buildinfo
Checksums-Sha256:
8bb0754dd4fb70e17d411e79e99342e72a2118da1f7782991591e33f1da23fc2 2444
xrdp_0.10.1-3.1+deb13u1.dsc
a2535f4420080630e20f0639c30c244170003ab998cc82d7913c2be856622f83 2402893
xrdp_0.10.1.orig.tar.gz
8a39cb0dd83bea428d7034cdf9831a56980dfac3ad398037fbdfb6aff940758f 38752
xrdp_0.10.1-3.1+deb13u1.debian.tar.xz
5727c1e0ecfc94072a8065de0addb321e440e2830027ec87f9f83b966c8dd88e 6334
xrdp_0.10.1-3.1+deb13u1_source.buildinfo
Files:
6943ecafd67ebfc618cf3b57fc80425d 2444 net optional xrdp_0.10.1-3.1+deb13u1.dsc
65edae2e80bcaa9b8fa6b8abd60fbe0e 2402893 net optional xrdp_0.10.1.orig.tar.gz
0eb75cba5a0c186fd26c1be30e5de383 38752 net optional
xrdp_0.10.1-3.1+deb13u1.debian.tar.xz
872e8071b96dae4ef1dc0d3fff4e4a7c 6334 net optional
xrdp_0.10.1-3.1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmmCE/tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1wcP/AvaiiDUZQI1ka2x5RDH/oiybCijgcTw
2RxkcLZ4kD0iI86oFO3x37GUa3S5UbXsTgPeFBMLYCuhivaZYbxgGyuVonCoeeU+
criHhh2IwfCL/Q+berD/CV1k7BFnNUXJnUIOgolTzcXRuhvmRC04onVhUxgvha+C
4BqzdZR+Y8v3L4Cl5G7aB7v/FesS/2TklmRheMK/F2w/wrvYEakkQYg1rD83xuue
TcmevhoOch+jlaTV6Sb3yp+Dqwcn0lFfKyGFqJLPb/MG0ePm8IJMjGQgGUaei/yn
3nBvmT8MskbgvWcQddkYLpw/6cAKGq3kuVxwXSCdzwXqUpaALi8FgY+HcO1slcF8
aOhI6MLIWJhBw7yElAG6uDiC6USaRhQf6l8IJKIrOuQKQ3EkR4EXOdB3VlJpo28Z
QexkhR+kgWPsrpc/J5mnkJ2blXD+GFenPmQtH8TwfHkjSVhRknn08cphh+I+upK5
6R8Nem0FBmuuybyc6VqxXESFoMpVYpw/vH+D/xzr88QhrpdpZutvU1K1y7oesAFs
UV3N/78PhHGtgpgG2X5Gm8v8gn2DnYYfMot++ypyzaqwne8SagOm4FhsdH0leHb/
asZuD5W23eq2dyotTZZ95ZiLvTYE5cCHlEtNdM7G3nEDxl3p7B+QGTHO+wgJ1IPp
lEgQeW566FPd
=zZgo
-----END PGP SIGNATURE-----
pgpenrXGmP0nc.pgp
Description: PGP signature
--- End Message ---
