Skip to content

xrdp contains default keys generated at build-time

Hi maxice8,

Package xrdp in Alpine contains private key. Same key for every system using that package, compromised by publishing package.
Please consider rebuilding package excluding keys contained in files /etc/xrdp/key.pem, /etc/xrdp/cert.pem, /etc/rsakeys.ini.

I'm writing to you as mails sent to Alan are rejected, and you were updating package most recently.
I found issue when xrdp was proposed for Void.

Regards,
[REDACTED]

I wonder if we should move the process to .post-install so a different key is generated in every install.

@kaniini tagging you since I can't find a @team/security, if possible assign to the appropriate party.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information