Security update for xrdp SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3735-1 Final 1 1 2023-09-22T13:04:30Z current 2023-09-22T13:04:30Z 2023-09-22T13:04:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xrdp This update for xrdp fixes the following issues: - CVE-2023-40184: Fixed restriction bypass via improper session handling (bsc#1214805). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3735,SUSE-SLE-SERVER-12-SP5-2023-3735 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233735-1/ Link for SUSE-SU-2023:3735-1 https://lists.suse.com/pipermail/sle-security-updates/2023-September/016297.html E-Mail link for SUSE-SU-2023:3735-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1214805 SUSE Bug 1214805 https://www.suse.com/security/cve/CVE-2023-40184/ SUSE CVE CVE-2023-40184 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 libpainter0-0.9.10-3.11.1 librfxencode0-0.9.10-3.11.1 xrdp-0.9.10-3.11.1 xrdp-devel-0.9.10-3.11.1 xrdp-0.9.10-3.11.1 as a component of SUSE Linux Enterprise Server 12 SP5 xrdp-0.9.10-3.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-40184 SUSE Linux Enterprise Server 12 SP5:xrdp-0.9.10-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xrdp-0.9.10-3.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233735-1/ https://www.suse.com/security/cve/CVE-2023-40184.html CVE-2023-40184 https://bugzilla.suse.com/1214805 SUSE Bug 1214805