On 15/08/14 06:51, Harry Johnston wrote: > Hi, > > I'm concerned that a number of web sites wrongly claim or imply that the > vulnerability described in CVE-2005-1794 doesn't apply to xrdp, e.g., see > > http://people.canonical.com/~ubuntu-security/cve/2005/CVE-2005-1794.html > > and > > https://security-tracker.debian.org/tracker/CVE-2005-1794 > > (As a result of this misinformation, we almost dismissed the report from > our vulnerability scanner as a false positive. There are of course many > situations in which this vulnerability is not a problem, and in fact > we're considering it a low priority, but in some environments this could > have been a serious oversight.)
What on earth makes you think that xrdp would have the same hard coded RSA key in it that a Microsoft terminal server binary had in it nine years ago. What makes you think it has any hard coded RSA keys? > > The descriptions of this CVE on sites like Mitre, Secunia, etc., > generally make no mention of xrdp either way, but the way the > vulnerability is described could easily lead people to assume that it > does not apply to xrdp. > Because it does would be a good starting point. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. ------------------------------------------------------------------------------ _______________________________________________ xrdp-devel mailing list xrdp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xrdp-devel
