<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] xrdp 0.9.20 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13346">13346</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] xrdp 0.9.20  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2022-23468, CVE-2022-23477, CVE-2022-23478, CVE-2022-23479, CVE-2022-23480, CVE-2022-23481, CVE-2022-23482, CVE-2022-23483, CVE-2022-23484, CVE-2022-23493,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package xrdp version 0.9.20

INFO (CVEs are): xrdp 0.9.20

 cves found

CVE-2022-23468

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a buffer over flow in xrdp_login_wnd_create() function. There are no known

workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23468">https://nvd.nist.gov/vuln/detail/CVE-2022-23468</a>

Severity: CRITICAL

CVE-2022-23477

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a buffer over flow in audin_send_open() function. There are no known

workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23477">https://nvd.nist.gov/vuln/detail/CVE-2022-23477</a>

Severity: CRITICAL

CVE-2022-23478

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a Out of Bound Write in xrdp_mm_trans_process_drdynvc_channel_open() function.

There are no known workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23478">https://nvd.nist.gov/vuln/detail/CVE-2022-23478</a>

Severity: CRITICAL

CVE-2022-23479

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a buffer over flow in xrdp_mm_chan_data_in() function. There are no known

workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23479">https://nvd.nist.gov/vuln/detail/CVE-2022-23479</a>

Severity: CRITICAL

CVE-2022-23480

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a buffer over flow in devredir_proc_client_devlist_announce_req() function.

There are no known workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23480">https://nvd.nist.gov/vuln/detail/CVE-2022-23480</a>

Severity: CRITICAL

CVE-2022-23481

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a Out of Bound Read in xrdp_caps_process_confirm_active() function. There are

no known workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23481">https://nvd.nist.gov/vuln/detail/CVE-2022-23481</a>

Severity: CRITICAL

CVE-2022-23482

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. There are

no known workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23482">https://nvd.nist.gov/vuln/detail/CVE-2022-23482</a>

Severity: CRITICAL

CVE-2022-23483

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a Out of Bound Read in libxrdp_send_to_channel() function. There are no known

workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23483">https://nvd.nist.gov/vuln/detail/CVE-2022-23483</a>

Severity: CRITICAL

CVE-2022-23484

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a Integer Overflow in xrdp_mm_process_rail_update_window_text() function. There

are no known workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23484">https://nvd.nist.gov/vuln/detail/CVE-2022-23484</a>

Severity: CRITICAL

CVE-2022-23493

Desc: xrdp is an open source project which provides a graphical login to remote

machines using Microsoft Remote Desktop Protocol (RDP). xrdp &lt; v0.9.21 contain

a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function.

There are no known workarounds for this issue. Users are advised to upgrade.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23493">https://nvd.nist.gov/vuln/detail/CVE-2022-23493</a>

Severity: CRITICAL</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>