Bug#858143: xrdp: CVE-2017-6967: incorrect placement of auth_start_session()
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 18 20:48:52 UTC 2017
Source: xrdp
Version: 0.9.1-7
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/neutrinolabs/xrdp/issues/350
Hi,
the following vulnerability was published for xrdp.
CVE-2017-6967[0]:
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect
| location, leading to PAM session modules not being properly
| initialized, with a potential consequence of incorrect configurations
| or elevation of privileges, aka a pam_limits.so bypass.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6967
[1] http://www.openwall.com/lists/oss-security/2017/03/18/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-remote-team
mailing list