-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-9417ff0bc5 2026-04-28 00:55:52.209245+00:00 --------------------------------------------------------------------------------
Name : xrdp Product : Fedora 43 Version : 0.10.6 Release : 1.fc43 URL : http://www.xrdp.org/ Summary : Open source remote desktop protocol (RDP) server Description : xrdp provides a fully functional RDP server compatible with a wide range of RDP clients, including FreeRDP and Microsoft RDP client. -------------------------------------------------------------------------------- Update Information: Security fixes CVE-2026-32105 CVE-2026-32107 CVE-2026-32623 CVE-2026-32624 CVE-2026-33145 CVE-2026-33516 CVE-2026-33689 CVE-2026-35512 New features Support for xorgxrdp bug fixes #249 and #342 (#3721) Bug fixes Honour pass_shell_as_env setting only if user sets a shell (#3725) We no longer try to create a NULL authentication file when using VNC over UDS (#3727) Problems with the Brazilian ABNT2 keyboard mapping have been corrected (#3728 3736) A 'file exists' error when installing xrdp over an existing installation has been addressed (#3780) -------------------------------------------------------------------------------- ChangeLog: * Sat Apr 18 2026 Bojan Smojver <[email protected]> - 1:0.10.6-1 - Update to 0.10.6 - CVE-2026-32105, CVE-2026-32107, CVE-2026-32623, CVE-2026-32624 - CVE-2026-33145, CVE-2026-33516, CVE-2026-33689, CVE-2026-35512 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2459298 - CVE-2026-32105 xrdp: xrdp: Data integrity compromised due to missing MAC signature verification in Classic RDP Security [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459298 [ 2 ] Bug #2459302 - CVE-2026-32107 xrdp: xrdp: Privilege Escalation via improper privilege management [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459302 [ 3 ] Bug #2459616 - CVE-2026-33145 xrdp: xrdp: Arbitrary Command Execution via unsafe handling of AlternateShell parameter [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459616 [ 4 ] Bug #2459618 - CVE-2026-32623 xrdp: xrdp NeutrinoRDP: Remote Code Execution or Denial of Service via heap-based buffer overflow in fragmented RDP data handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459618 [ 5 ] Bug #2459620 - CVE-2026-35512 xrdp: xrdp: Remote Code Execution via heap-based buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459620 [ 6 ] Bug #2459621 - CVE-2026-33516 xrdp: xrdp: Denial of Service and Information Disclosure via specially crafted RDP message [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459621 [ 7 ] Bug #2459623 - CVE-2026-33689 xrdp: xrdp: Denial of Service and Information Disclosure via Out-of-Bounds Read [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459623 [ 8 ] Bug #2459625 - CVE-2026-32624 xrdp: xrdp: Denial of Service via crafted username and domain name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459625 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-9417ff0bc5' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
