FEDORA-2024-e142be4915

Packages in this update:

xrdp-0.10.1-1.fc40

Update description:

Release notes for xrdp v0.10.1 (2024/07/31)

General announcements

A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.

Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes

Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.

New features

GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)

Bug fixes

A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)

Internal changes

FreeBSD CI bumped to 13.3 (#3088, backport of #3104)

Changes for users

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Changes for packagers or developers

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Read More

FEDORA-EPEL-2024-94499c0981

Packages in this update:

xrdp-0.10.1-1.el9

Update description:

Release notes for xrdp v0.10.1 (2024/07/31)

General announcements

A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.

Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes

Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.

New features

GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)

Bug fixes

A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)

Internal changes

FreeBSD CI bumped to 13.3 (#3088, backport of #3104)

Changes for users

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Changes for packagers or developers

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Read More

FEDORA-2024-41c1bf8de6

Packages in this update:

xrdp-0.10.1-1.fc39

Update description:

Release notes for xrdp v0.10.1 (2024/07/31)

General announcements

A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.

Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes

Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.

New features

GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)

Bug fixes

A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)

Internal changes

FreeBSD CI bumped to 13.3 (#3088, backport of #3104)

Changes for users

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Changes for packagers or developers

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Read More

FEDORA-EPEL-2024-2b876f90b2

Packages in this update:

xrdp-0.10.1-1.el8

Update description:

Release notes for xrdp v0.10.1 (2024/07/31)

General announcements

A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.

Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes

Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.

New features

GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)

Bug fixes

A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)

Internal changes

FreeBSD CI bumped to 13.3 (#3088, backport of #3104)

Changes for users

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Changes for packagers or developers

None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.

Read More

FEDORA-2024-8af1780fdf

Packages in this update:

bind-9.18.28-2.fc40
bind-dyndb-ldap-11.10-29.fc40

Update description:

Update to BIND 9.18.28

Security Fixes

A malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients. This has been fixed. (CVE-2024-0760) [GL #4481]

It is possible to craft excessively large resource records sets, which have the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-records-per-type option. [GL #497] [GL #3405]

It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [GL #3403]

ISC would like to thank Toshifumi Sakaguchi who independently discovered and responsibly reported the issue to ISC. [GL #4548]

Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [GL #4480]

Due to a logic error, lookups that triggered serving stale data and required lookups in local authoritative zone data could have resulted in an assertion failure. This has been fixed. (CVE-2024-4076) [GL #4507]

Potential data races were found in our DoH implementation, related to HTTP/2 session object management and endpoints set object management after reconfiguration. These issues have been fixed. [GL #4473]

ISC would like to thank Dzintars and Ivo from nic.lv for bringing this to our attention.

When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. [GL #4661]

Source: https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/notes.html

Read More

FEDORA-2024-56ae6c2c7a

Packages in this update:

bind-9.18.28-2.fc41
bind-dyndb-ldap-11.10-30.fc41

Update description:

update to 9.18.28 rhbz#2299467
Fixes CVE-2024-4076
Fixes CVE-2024-1975
Fixes CVE-2024-1737
Fixes CVE-2024-0760

Automatic update for bind-9.18.28-1.fc41.

Read More

Phillip Szelat discovered that Exim misparses multiline MIME header
filenames. A remote attacker could use this issue to bypass a MIME filename
extension-blocking protection mechanism and possibly deliver executable
attachments to the mailboxes of end users.

Read More

It was discovered that Apache Commons Collections allowed serialization
support for unsafe classes by default. A remote attacker could possibly
use this issue to execute arbitrary code.

Read More

USN-6913-1 fixed CVE-2022-39369 for Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
This update provides the corresponding fix for Ubuntu 16.04 LTS.

Original advisory details:

Filip Hejsek discovered that phpCAS was using HTTP headers to determine
the service URL used to validate tickets. A remote attacker could
possibly use this issue to gain access to a victim’s account on a
vulnerable CASified service.

This security update introduces an incompatible API change. After applying
this update, third party applications need to be modified to pass in an
additional service base URL argument when constructing the client class.

For more information please refer to the section
“Upgrading 1.5.0 -> 1.6.0” of the phpCAS upgrading document:

https://github.com/apereo/phpCAS/blob/master/docs/Upgrading

Read More

FEDORA-2024-47dbf2a4de

Packages in this update:

obs-cef-5060^cr103.0.5060.134~git20231010.17f8588-6.fc40

Update description:

Security fix for CVE-2023-6349 & FTBFS fixes

Read More