Fedora 40 : xrdp (2024-e142be4915)

high Nessus Plugin ID 205287

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-e142be4915 advisory.

Release notes for xrdp v0.10.1 (2024/07/31)

General announcements

A clipboard bugfix included in this release is sponsored by Krmer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.

Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes

- Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.

New features

- GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)

Bug fixes

- A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
- Fix a systemd dependency (network-online.target) (#3088, backport of #3086)
- A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
- A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
- A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
- A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krmer Pferdesport GmbH & Co KG] (#3102 #3120)
- Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
- Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
- Fix an issue some files are not included properly in release tarball (#3149 #3150)
- Using 'I' in the session selection policy now works correctly (#3167 #3171)
- A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
- Screens wider than 4096 pixels should now be supported (#3083)
- An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)

Internal changes

- FreeBSD CI bumped to 13.3 (#3088, backport of #3104)

Changes for users

- None since v0.10.0.
- If moving from v0.9.x, read the v0.10.0 release note.

Changes for packagers or developers

- None since v0.10.0.
- If moving from v0.9.x, read the v0.10.0 release note.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected 1:xrdp package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2024-e142be4915

Plugin Details

Severity: High

ID: 205287

File Name: fedora_2024-e142be4915.nasl

Version: 1.1

Type: local

Agent: unix

Published: 8/9/2024

Updated: 8/9/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:xrdp, cpe:/o:fedoraproject:fedora:40

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/31/2024

Vulnerability Publication Date: 7/31/2024

Reference Information