xrdp – News releases available – Bug Fix & Security Fix (0.9.26 & 0.10.1)

Hello World, 

Since our xrdp-installer script seems to be quite handy to some people out there, we are following a little bit more closely the releases and security announcements made by the team behind the xRDP software solution.   We discovered that a new release has been made available a few days ago.  Actually, to be more correct, two new releases have been made available in the recent weeks..

Let’s see  what’s going on… 

Overview

xRDP is a software package that provide remote desktop capabilities against a Linux machine and mimics the Remote Desktop capabilities that can be found in Windows Operating system.  Using xRDP, you can basically use your standard remote desktop client on Windows or Linux and you can remotely access your Linux Desktop interface.   The team behind the software is releasing on regular basis updates. These updates can introduces new features and/or can address security issues. 

You can find the latest releases & release notes for the xrdp package by visiting this page 

New Release – Version 0.9.26 (reaching EOL)

If you remember, the team behind the xRDP Software was informing us that version 0.9.x would reaching slowly end of life.  As mentioned in the release page,  v0.9.x will be maintained for a while but less actively. New releases will happen only when severe security vulnerabilities or critical bugs are found.  Version 0.9.x is slowly reaching end of life

The xrdp release version 0.9.26 has been released to provide bug fixing mainly.   One of the bug fix was related to clipboard support and LibreOffice product.  The issue seems to start since version 0.9.23.  If you try to copy/paste a picture to LibreOffice in your remote session, the image was never copied over.  xrdp 0.9.26 is fixing this issue. 

    

No Security fix on this release 

New Release – Version 0.10.1 

The latest and greatest version of xRDP is set to 0.10.1 .  This package has been released a few days ago (July 31, 2024). This release includes bug fixing and security fixing.  You can see all the bug fixing in the release page and we are mentioning them hereafter 

  • A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
  • Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
  • A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
  • A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
  • A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
  • A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
  • Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
  • Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
  • Fix an issue some files are not included properly in release tarball (#3149 #3150)
  • Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
  • A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
  • Screens wider than 4096 pixels should now be supported (#3083)
  • An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)

Again, you can see that the clipboard issue affecting copying image was also affecting version 0.10.  So, we are happy to see that the changes have been included in this release.  Indeed, our xrdp-installer script tries to detect the latest xrdp release.   Since the last one was 0.10, the issue might be affecting other users.  Now, if you are using the version 1.5.1. of the script, you should be downloading the package version 0.10.1 which includes all these fixes. 

We are starting to work on the next iteration of the xrdp-installer script, we might want to introduce some changes in the next release to provide even more flexibility during the installation process.  We are just starting and we will see if we can make it happening this year still….. 

As mentioned earlier, this release also issue a security fix not covered by a CVE but detected beforehand (see below) 

  • Unauthenticated RDP security scan finding / partial auth bypass). Thanks to @txtdawg for reporting this.

This release tackle this issue and improve general security of the xRDP software solution. 

Wayland Support ? Not yet ! 

Like with previous releases, xRDP still does not support Wayland Display Server and still relies on the aged Xorg Display Server.  More and more distribution are shipping with Wayland Display server as default one.  So far, this is not an issue because xRDP can fall back to the Xorg display server.  However, it seems that more and more software maintainer would like to move away completely from Xorg software because it’s considered legacy software.   A good example is the team behind Gnome Desktop who is looking into removing support for Xorg Display Server.   

We think that it still might take some time before this happens.  But ut would be cool to see an xRDP software release that would include Wayland support.  Gnome Remote login (feature of Gnome 46) is basically demonstrating that it’s possible to perform RDP connection against Wayland session.   We are looking forward to see if this would happens soon.    

What’s the impact for me ?

If you are using a well established distribution like Ubuntu or Debian, and if you have performed the installation from the distribution repository, you might not be running the latest version of the xRDP package.   The latest version of the xrdp package is usually not being updated automatically in well established distribution. For Ubuntu 24.04, the package available (at time of writing) is still version 0.9.24.  It might get the latest version or not.. 

If you have performed the installation from sources,  you will have to update yourself the package. You should remove the version installed on your system and  recompile from source. So, if you want to use the latest version of xRDP, you will need to compile the software from sources.  You can also use our famous xrdp-installer script that simplifies and automate the installation (on Debian based systems).  (see https://www.c-nergy.be/products.html).  

Final Notes

This is it for this post !   

xRDP team is quite active lately and they are quite busy.  They have indeed to maintain the phasing out version (0.9.x Branch) by issuing some bug & security fixes but they have also to maintain the newest branch release (0.10.x) which provide the latest improvements.   xRDP team has announced that version 0.9.x is reaching end of life and it would be recommended to move to the latest release 0.10.x which is becoming the one and only official supported version (soon ?). 

Linux Distro like Ubuntu are still providing in their repo version 0.9.x of the software.  The software is still valid and working and we are expecting that next release will include newest version.  In the meantime, if you want to use the latest version on your Ubuntu machine, you could give a try to our famous xrdp-installer script (version 1.5.1) and provide some feedback.  The script should ease the installation process and you could enjoy the latest version of xrdp software.   

We are looking into the next iteration of the xrdp-installer script and we will see if can even improve it… 

Stay tuned

Till Next time 

Leave a Reply