Security update for xrdp

Announcement ID:	SUSE-SU-2020:1943-1
Rating:	important
References:	bsc#1138954 bsc#1144327 bsc#1144379 bsc#1150584 bsc#1152711 bsc#1153471 bsc#1155789 bsc#1155952 bsc#1157860 bsc#1173580
Cross-References:	CVE-2017-6967 CVE-2020-4044
CVSS scores:	CVE-2017-6967 ( SUSE ): 5.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-6967 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2017-6967 ( NVD ): 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-4044 ( SUSE ): 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-4044 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Enterprise Storage 4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 7

An update that solves two vulnerabilities and has eight security fixes can now be installed.

Description:

This update for xrdp provides the following fix:

• CVE-2020-4044: xrdp-sesman can be crashed remotely over port 3350 (bsc#1173580).
• Fixed an issue where xrdp-sesman could not restart (bsc#1155952).
• Fixed an issue where xrdp could not start due to an error in the service file use absolute path in ExecStart (bsc#1155789).
• Fixed a PAM error after 2nd xrdp session after logout (bsc#1153471).
• Fixed a crash in xrdp-sesman, caused by terminating and reconnecting an xrdp session (bsc#1152711).
• Fixed a failure in RDP session recovery (bsc#1150584).
• Fixed a process leak (bsc#1144379).
• Let systemd handle the daemons, fixing daemon start failures. (bsc#1138954, bsc#1144327)
• Don't try to create .vnc directory if it already exists. (bsc#1157860)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 7
  zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1943=1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  zypper in -t patch SUSE-SLE-POS-12-SP2-CLIENT-2020-1943=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1943=1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1943=1
• SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2020-1943=1
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1943=1
• SUSE Enterprise Storage 4
  zypper in -t patch SUSE-Storage-4-2020-1943=1

Package List:

• SUSE OpenStack Cloud 7 (x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1
• SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (ppc64le s390x x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1
• SUSE Enterprise Storage 4 (x86_64)
  • xrdp-debuginfo-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-debugsource-0.9.0~git.1456906198.f422461-16.20.1
  • xrdp-0.9.0~git.1456906198.f422461-16.20.1

References:

• https://www.suse.com/security/cve/CVE-2017-6967.html
• https://www.suse.com/security/cve/CVE-2020-4044.html
• https://bugzilla.suse.com/show_bug.cgi?id=1138954
• https://bugzilla.suse.com/show_bug.cgi?id=1144327
• https://bugzilla.suse.com/show_bug.cgi?id=1144379
• https://bugzilla.suse.com/show_bug.cgi?id=1150584
• https://bugzilla.suse.com/show_bug.cgi?id=1152711
• https://bugzilla.suse.com/show_bug.cgi?id=1153471
• https://bugzilla.suse.com/show_bug.cgi?id=1155789
• https://bugzilla.suse.com/show_bug.cgi?id=1155952
• https://bugzilla.suse.com/show_bug.cgi?id=1157860
• https://bugzilla.suse.com/show_bug.cgi?id=1173580