xrdp (0.6.0-1ubuntu0.1+esm3) trusty-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds reads
    - debian/patches/CVE-2022-23479.patch: stop read requests with an
      out-of-bounds header size in `common/trans.c`.
    - CVE-2022-23479
  * SECURITY UPDATE: out-of-bounds reads
    - debian/patches/CVE-2022-23481.patch: add length checking to
      parsing functions in `libxrdp/xrdp_caps.c`.
    - CVE-2022-23481
  * SECURITY UPDATE: out-of-bounds reads
    - debian/patches/CVE-2022-23483.patch: sanitize channel data in
      `xrdp/xrdp_mm.c`.
    - CVE-2022-23483
  * SECURITY UPDATE: bypassed session restrictions
    - debian/patches/CVE-2023-40184.patch: add error handling codes for
      `auth_start_session()` in `sesman/session.c`.
    - CVE-2023-40184
  * SECURITY UPDATE: out-of-bounds reads
    - debian/patches/CVE-2023-42822.patch: add fields to struct xrdp_font
      for bound checks added in `xrdp_font_create()` and
      the new macro `XRDP_FONT_GET_CHAR`.
    - CVE-2023-42822
  * debian/patches/2023-fix-log-message.patch: fix an invalid usage of
    `log_message()`.

 -- Allen Huang <allen.huang@canonical.com>  Tue, 07 Nov 2023 16:26:03 +0200

xrdp (0.6.0-1ubuntu0.1+esm2) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2020-4044.patch: set limits for server incoming
      and outgoing message size to stop memory exhaustion attempts
    - CVE-2020-4044

 -- Allen Huang <allen.huang@canonical.com>  Wed, 01 Nov 2023 16:48:03 +0200

xrdp (0.6.0-1ubuntu0.1+esm1) trusty-security; urgency=medium

  * SECURITY UPDATE: Privilege elevation in PAM function.
    - debian/patches/CVE-2017-6967.patch: sesman: move auth/pam calls to main
      process.
    - CVE-2017-6967
  * SECURITY UPDATE: Denial of service in session manager caused by buffer
    overflow.
    - debian/patches/CVE-2017-16927.patch: scpv0; accept variable length
      data fields.
    - CVE-2017-16927
  * SECURITY REGRESSION: Fix connection problem.
    - debian/patches/fix_regression.patch: Fix connection issue in sesman.

 -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Thu, 03 Oct 2019 11:11:15 -0300

xrdp (0.6.0-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Fixes a VNC security issue where the VNC password file is
    based on the user password.
    - debian/patches/CVE-2013-1430-1.patch: sesman: change vnc password file
      to guid
    - debian/patches/CVE-2013-1430-2.patch: sesman: work on guid / vnc
      password file
    - debian/patches/CVE-2013-1430-3.patch: xrdp,vnc: work on guid / vnc
      password file
    - debian/patches/CVE-2013-1430-4.patch: xrdp,vnc: password fixes
    - debian/patches/CVE-2013-1430-5.patch: vnc: add const and comments to
      rfbEncryptBytes
    - debian/patches/CVE-2013-1430-6.patch: sesman, xrdp: const, spacing
      changes
    - CVE-2013-1430

 -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Fri, 21 Dec 2018 11:30:15 -0200

xrdp (0.6.0-1) unstable; urgency=low

  * New upstream version. Closes: #687039.
  * Drop 07-unix-socks-in-var-run.patch: upstream now creates a dedicated
    directory for Unix sockets in /tmp (with mkdtemp).
  * Drop the following patches, applied upstream:
      + alt-gr-fix.patch
      + keycode-fix.patch
  * Bump Standards-Version to 3.9.3.
  * Enable hardening.

 -- Vincent Bernat <bernat@debian.org>  Sat, 29 Sep 2012 13:00:49 +0200

xrdp (0.5.0-2) unstable; urgency=low

  * Remove sesman logs on purge. Closes: #656212.
  * Don't create /var/log/sesman.log in postinst. sesman is now able to
    create it.
  * Don't create Unix socket in /tmp. Put them in /var/run/xrdp.
    Closes: #656210.
  * Bump Standards-Version to 3.9.2.

 -- Vincent Bernat <bernat@debian.org>  Sun, 22 Jan 2012 13:14:11 +0100

xrdp (0.5.0-1) unstable; urgency=low

  * New upstream version.
     + This version also happens to fix linking problems. Closes: #615803.
  * Support for some non-US keyboards whose keycodes may be greater than
    128 with a patch from Sasajima. Closes: #610961.

 -- Vincent Bernat <bernat@debian.org>  Sun, 18 Sep 2011 20:38:04 +0200

xrdp (0.5.0~20100303cvs-6) unstable; urgency=low

  * Add a patch to fix Alt-Gr issues with Windows TS client.
    Closes: #584666.
  * Bump Standards-Version to 3.9.1.

 -- Vincent Bernat <bernat@debian.org>  Wed, 11 Aug 2010 18:47:30 +0200

xrdp (0.5.0~20100303cvs-5) unstable; urgency=low

  * Rewrite of init.d by Javier Fernández-Sanguino Peña to be LSB
    compliant. Closes: #589757.
  * Bump Standards-Version to 3.9.0.

 -- Vincent Bernat <bernat@debian.org>  Sat, 24 Jul 2010 16:40:34 +0200

xrdp (0.5.0~20100303cvs-4) unstable; urgency=low

  * Add a patch to fall back to US keymap if the correct keymap is not
    found in /etc/xrdp. Closes: #575477.

 -- Vincent Bernat <bernat@debian.org>  Sat, 01 May 2010 20:09:05 +0200

xrdp (0.5.0~20100303cvs-3) unstable; urgency=low

  * Ensure that /var/run/xrdp is owned by xrdp:xrdp. Closes: #575438.

 -- Vincent Bernat <bernat@debian.org>  Thu, 25 Mar 2010 21:25:52 +0100

xrdp (0.5.0~20100303cvs-2) unstable; urgency=low

  * Allow to reuse an existing session, thanks to a patch from Daniel
    Baumann. Closes: #573258.

 -- Vincent Bernat <bernat@debian.org>  Wed, 10 Mar 2010 22:08:30 +0100

xrdp (0.5.0~20100303cvs-1) unstable; urgency=low

  * New upstream release (0.5.0) from CVS repository.
     + Upstream now provide a free font, therefore, we use pristine
       sources and we can drop 01sans_font.dpatch.
     + Drop most of the other patchs since they have been merged upstream.
     + Windows 7 RDP client can now connect. Closes: #572764.
     + Session selection is now available. Closes: #523281.
     + Mapping problems seems to be fixed. Closes: #483365.
     + No more unneeded awakening. Closes: #447377.
  * Bump Standards-Version to 3.8.4.
  * Switch to 3.0 (quilt) format.
  * Switch to debhelper 7.
  * Fix path to xrdp and xrdp-sesman in init.d script.
  * Drop debian/watch, we use a CVS version.
  * Build-Depends on libx*-dev since it is now requested by configure.

 -- Vincent Bernat <bernat@debian.org>  Mon, 08 Mar 2010 21:27:35 +0100

xrdp (0.4.1~dfsg-2) unstable; urgency=low

  * Don't chown /var/run/xrdp in postinst since it is done in init.d but
    create it to not rely on adduser doing it.

 -- Vincent Bernat <bernat@debian.org>  Sun, 27 Sep 2009 09:20:56 +0200

xrdp (0.4.1~dfsg-1) unstable; urgency=low

  * Package xrdp 0.4.1. Remove 09vista_mstc.dpatch and
    10mono_cursor.dpatch since they were included upstream. This new
    version happens to fix LDAP login.  Closes: #547999, #548002. LP: #429637.
  * Export locale settings from /etc/default/locale, thanks to a
    suggestion from Alessandro Vietta. Closes: #528032.
  * Fix a bus error on ARM, thanks to a patch from Sven-Ola
    Tuecke. Closes: #544384.
  * Update Standards-Version to 3.8.3. No changes required.
  * Don't ship /var/run/xrdp since it is created in init.d.

 -- Vincent Bernat <bernat@debian.org>  Sat, 26 Sep 2009 17:37:20 +0200

xrdp (0.4.0~dfsg-9) unstable; urgency=high

  * Fix CVE-2008-5902 and CVE-2008-5904 with the help of patches proposed
    by Ondrej Kolacek. The patch fixing CVE-2008-5902 also happens to fix
    CVE-2008-5903 by checking boundary before calling add_char_at(). This
    closes: #511641.
  * Really add patch to fix monochrome cursor issue.
  * Also updates Standards-Version and add ${misc:Depends} macro.
  * Don't use Pa macro in xrdp-keygen manual page.

 -- Vincent Bernat <bernat@debian.org>  Fri, 23 Jan 2009 21:29:14 +0100

xrdp (0.4.0~dfsg-8) unstable; urgency=low

  * Add a patch to fix monochrome cursor issue

 -- Vincent Bernat <bernat@debian.org>  Tue, 03 Jun 2008 00:17:16 +0200

xrdp (0.4.0~dfsg-7) unstable; urgency=medium

  * Due to OpenSSL weak random number generator, rsakeys.ini contains weak
    keys. We remove them on upgrade without any warning since they are not
    checked by any client.

 -- Vincent Bernat <bernat@debian.org>  Wed, 21 May 2008 06:49:20 +0200

xrdp (0.4.0~dfsg-6) unstable; urgency=low

  * Add Vcs-* fields to debian/control
  * Convert debian/copyright to machine-readable format (Closes: #469074)
  * Add a patch to support Visa SP1 mstc application, thanks to Jay Sorg

 -- Vincent Bernat <bernat@debian.org>  Thu, 08 May 2008 22:31:41 +0200

xrdp (0.4.0~dfsg-5) unstable; urgency=low

  * Package sessvc which was left out (Closes: #465210).
  * Sleep a bit after stopping so that xrdp can be restarted on upgrade.
  * Add an option in /etc/default/xrdp to avoid to restart xrdp on
    upgrade, thanks to a suggestion from Ola Lundqvist (Closes: #472186).

 -- Vincent Bernat <bernat@luffy.cx>  Wed, 26 Mar 2008 20:45:12 +0100

xrdp (0.4.0~dfsg-4) unstable; urgency=low

  * Add a patch to fix missing keys in fr and de layout. Layout
    enhancements are welcome! (Closes: #440912)
  * Bump Standards-Version to 3.7.3
  * Add XS-DM-Upload field to debian/control

 -- Vincent Bernat <bernat@luffy.cx>  Sat, 02 Feb 2008 00:53:59 +0100

xrdp (0.4.0~dfsg-3) unstable; urgency=low

  * Delete user and group on purge.
  * Do not delete xrdp user on postinst if it exists, thanks to Trent
    W. Buck (Closes: #435671).
  * Provide a more generic PAM configuration file.
  * Run sesman as root to allow him to use PAM properly (Closes: #435667).
  * Fix file paths in man pages.

 -- Vincent Bernat <bernat@luffy.cx>  Sun, 05 Aug 2007 20:33:55 +0200

xrdp (0.4.0~dfsg-2) unstable; urgency=low

  * Includes a keygen utility from CVS to generate a fresh keypair on
    first start and ensure that permissions are correct. (Closes: #435076).
  * Removes redundant "open source" mention in description, thanks to Josh
    Triplett (Closes: #435061).
  * Add a watch file
  * Now running the daemon as xrdp user

 -- Vincent Bernat <bernat@luffy.cx>  Sun, 29 Jul 2007 13:05:46 +0200

xrdp (0.4.0~dfsg-1) unstable; urgency=low

  * Initial release (Closes: #391103)

 -- Vincent Bernat <bernat@luffy.cx>  Wed, 11 Jul 2007 09:13:08 +0200
