A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.
Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via [Open Collective](https://opencollective.com/xrdp-project). Direct donations to each developer via GitHub Sponsors are also welcomed.
## Security fixes
* Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.
## New features
* GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)
## Bug fixes
* A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
* Fix a systemd dependency ("network-online.target") (#3088, backport of #3086)
* A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
* A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
* A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
* A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
* Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
* Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
* Fix an issue some files are not included properly in release tarball (#3149 #3150)
* Using 'I' in the session selection policy now works correctly (#3167 #3171)
* A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
* Screens wider than 4096 pixels should now be supported (#3083)
* An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)
## Internal changes
* FreeBSD CI bumped to 13.3 (#3088, backport of #3104)
## Changes for users
* None since v0.10.0.
* If moving from v0.9.x, read the v0.10.0 release note.
## Changes for packagers or developers
* None since v0.10.0.
* If moving from v0.9.x, read the v0.10.0 release note.
The biggest news of this release is that [Graphic Pipeline Extension](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpegfx/da5c75f9-cd99-450c-98c4-014a496942b0) also called GFX in short has been supported. xrdp v0.10 with GFX achieves more frame rates and less bandwidth compared to v0.9. There is a significant performance improvement especially if the client is Windows 11's mstsc.exe or Microsoft Remote Desktop for Mac. GFX H.264/AVC 444 mode and hardware-accelerated encoding are not supported in this version yet.
GFX implementation in xrdp is sponsored by an enterprise sponsor. @CyberTrust is also one of the sponsors. We very much appreciate the sponsorship. It helped us to accelerate xrdp development and land GFX earlier!
Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via [Open Collective](https://opencollective.com/xrdp-project). Direct donations to each developer via GitHub Sponsors are also welcomed.
This section describes the most user-visible new or changed features in xrdp since v0.9.19. See [Branch v0.10](#branch-v010) for all changes relative to v0.9.19.
* If moving from v0.9.x, read the '[User changes](#user-changes)' and '[Significant changes for packagers or developers section](#significant-changes-for-packagers-or-developers)' sections for the v0.10 branch below.
* The [x11rdp](/neutrinolabs/x11rdp) X server is no longer supported. Users will need to move to xorgxrdp (#2489)
* Running xrdp and xrdp-sesman on separate hosts is no longer supported.
* There are some changes to `xrdp.ini` and `sesman.ini` which break backwards compatibility. In particular:-
*`sesman.ini/Globals/ListenAddress` is not longer used. A warning message is generated if this is found in the configuration, but the configuration will continue to work.
*`sesman.ini/Globals/ListenPort` is now a path to a socket, or an unqualified socket in a default directory. If the old default value `3350` is found, a warning is generated and a default value is used instead. The configuration will continue to work.
* The `ip` and `pamsessionmng` parameters are no longer required in sections in `xrdp.ini` to locate the sesman port. Unnecessary usages of this parameter now generate warnings. The configuration will continue to work.
* The 'C' field for the session allocation policy has been replaced with `Policy=Separate`. This field is has a very specific specialist purpose, and will not be used by the vast majority of users. The renaming makes it much clearer what is happening (#2251 #2239). Any uses of the 'C' field will generate warnings, **and the configuration will require updating**
* The format of the date and time in the log file has been changed to ISO 8601 with milliseconds (#2386 #2541)
Users are urged to heed any generated configuration warnings and update their configurations. Later major versions of xrdp may remove these warnings, or introduce other behaviours for the affected parameters.
## Security fixes
This branch provides following important security fixes reported by [Team BT5 (BoB 11th)](https://github.com/Team-BT5). We appreciate their great help with making and reviewing patches for them.
* SCP (Sesman Control Protocol) has been refactored from separate V0 and V1 protocols to a simplified V2 protocol running on top of a new library 'libipm' (#2163).
* libipm provides a way to pass file descriptors between processes (#2494)
* SCP connections are now only supported on top of Unix Domain Sockets (#2207 #2235#2247)
* Monitor processing logic, which was in two places, has now been unified (#1895 #2301)
* Simplifications to transport connect logic (#2204)
* The fields in `struct trans` and `struct xrdp_client_info` used for storing client addressing information have been simplified (#2251)
* A couple of string utility functions have been added to parse character strings like the one used for the session allocation policy (#2251)
* cppcheck version used for CI bumped to 2.13.0 (#2520 #2737#2785#2886). Note that #2785 greatly increases cppcheck scan times.
* cppcheck install script no longer installs z3 for cppcheck >= 2.8 (#2782)
* The physical desktop size information sent from the client is now recorded in more situations (#2310)
* Simple maintenance improvements (#2354)
* An opaque type is now used for the auth_info handle used by the sesman auth module (#2362)
* CI updates to cope with github upgrades (#2394)
* GUIDs created for new sessions are now compliant with RFC4122 random UUIDs (#2420)
* Some 'magic numbers' have been replaced with constants (#2421)
* FreeBSD CI now runs a 'make check' (#2490)
* FreeBSD CI now runs on FreeBSD 13.2 (#2621 #2896)
* Some logging improvements on audio redirection (#2537)
* Extra executables : waitforx (#2492 #2591#2586) xrdp-sesexec (#2644)
* The poll() system call now replaces select() for monitoring file descriptors (#2497 #2568)
* sigaction() now replaces signal() for increased portability (#2813)
* Other portability changes (#2909)
* Some extra convenience functions were added for handling lists of strings (#2576)
*`g_malloc`, `g_free`, `g_memset`, `g_memcpy`, and `g_memmove` are now macros. These should not be used in new code (#2609)
* config_ac.h is now used consistently (#2667)
* as mentioned above, `g_file_open()` has been replaced with `g_file_open_ro()` and `g_file_open_rw()` calls
* The separate fifo packages in the common directory and chansrv have now been merged (#2686)
* Unicode conversions are now provided by explicit functions rather than relying on C library `mbstowcs()`/`wcstombs()` functions (#2794)
* Some test timeouts have been increased for slow CI machines (#2901)
*`g_obj_wait()` can now take a zero timeout (#2904)
* POSIX shared memory is now used to communicate with `xorgxrdp` rather than System-V shared memory (#2709 #2786#2889)
## Significant changes for packagers or developers
* The libscp.so shared library is replaced with libipm.so
* A new shared library libsesman.so contains shared code for sesman and related executables (#2601)
* The default setting for `--with-socketdir` is now `/var/run/xrdp` rather than `/tmp/.xrdp`. The new setting works for installations where `/tmp` is polyinstantiated ( see #1482 for more details)
* The permissions of the socketdir have changed from 1777 to 755 (owned by root). Within this directory are the sesman socket and user-specific directories. The user-specific directories store the session sockets used by each user (#2731).
It is recommended not to use the same `--with-socketdir` setting for v0.9.x and v0.10.x packages as the differing permissions can cause problems on package downgrades. See #3066 for an example of where this can be a problem.
