Debian Security Advisory

DSA-4737-1 xrdp -- security update

Date Reported:
29 Jul 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 964573.
In Mitre's CVE dictionary: CVE-2020-4044.
More information:

Ashley Newson discovered that the XRDP sessions manager was susceptible to denial of service. A local attacker can further take advantage of this flaw to impersonate the XRDP sessions manager and capture any user credentials that are submitted to XRDP, approve or reject arbitrary login credentials or to hijack existing sessions for xorgxrdp sessions.

For the stable distribution (buster), this problem has been fixed in version 0.9.9-1+deb10u1.

We recommend that you upgrade your xrdp packages.

For the detailed security status of xrdp please refer to its security tracker page at: