FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 04:12:46 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
af065e47-5d62-11ee-bbae-1c61b4739ac9xrdp -- unchecked access to font glyph info

xrdp team reports:

Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.


Discovery 2023-09-27
Entry 2023-09-27
xrdp
< 0.9.23.1

CVE-2023-42822
https://www.cve.org/CVERecord?id=CVE-2023-42822
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw
2675f0db-baa5-11ea-aa12-80ee73419af3xrdp -- Local users can perform a buffer overflow attack against the xrdp-sesman service and then inpersonate it

Ashley Newson reports:

The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350.


Discovery 2020-06-02
Entry 2020-06-30
xrdp
< 0.9.13.1,1

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
CVE-2020-4044
c9ff1150-5d63-11ee-bbae-1c61b4739ac9xrdp -- Improper handling of session establishment errors allows bypassing OS-level session restrictions

xrdp team reports:

In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.


Discovery 2023-08-30
Entry 2023-09-27
xrdp
< 0.9.23

CVE-2023-40184
https://www.cve.org/CVERecord?id=CVE-2023-40184
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
ba94433c-7890-11ed-859e-1c61b4739ac9xrdp -- multiple vulnerabilities

xrdp project reports:

This update is recommended for all xrdp users and provides following important security fixes:

  • CVE-2022-23468
  • CVE-2022-23477
  • CVE-2022-23478
  • CVE-2022-23479
  • CVE-2022-23480
  • CVE-2022-23481
  • CVE-2022-23483
  • CVE-2022-23482
  • CVE-2022-23484
  • CVE-2022-23493

These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.


Discovery 2022-12-01
Entry 2022-12-10
xrdp
< 0.9.21

CVE-2022-23468
CVE-2022-23477
CVE-2022-23478
CVE-2022-23479
CVE-2022-23480
CVE-2022-23481
CVE-2022-23483
CVE-2022-23482
CVE-2022-23484
CVE-2022-23493
https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.21