Hi, I'm concerned that a number of web sites wrongly claim or imply that the vulnerability described in CVE-2005-1794 doesn't apply to xrdp, e.g., see
http://people.canonical.com/~ubuntu-security/cve/2005/CVE-2005-1794.html and https://security-tracker.debian.org/tracker/CVE-2005-1794 (As a result of this misinformation, we almost dismissed the report from our vulnerability scanner as a false positive. There are of course many situations in which this vulnerability is not a problem, and in fact we're considering it a low priority, but in some environments this could have been a serious oversight.) The descriptions of this CVE on sites like Mitre, Secunia, etc., generally make no mention of xrdp either way, but the way the vulnerability is described could easily lead people to assume that it does not apply to xrdp. I'm intending to discuss this with some of the relevant organizations, with the intent of either adding references to xrdp to the most prominent online sources or perhaps issuing a new CVE; I'm not sure what the precedent is in cases like this. However, I thought I should discuss it with you first, in case you wanted to coordinate, or be CC'd in, or whatever. Thoughts? Harry.
------------------------------------------------------------------------------
_______________________________________________ xrdp-devel mailing list xrdp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xrdp-devel
