Hi Moritz, On Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:
On Tue, Dec 11, 2018 at 04:42:17PM +0000, Mike Gabriel wrote:From my understanding the potential remote code executions that are mentioned in the CVE descriptions are triggered by a malign server and the code executions then happen on the client side.Thanks for background. Security issues only triggerable by a malicious RDP server are low impact, a malicious RDP server can mess with you in so many ways that client-side execution doesn't make a big difference. This is certainly not something that would warrant an upgrade to freerdp2 in a stable release, but if patches for 1.1 materialise they could be shipped via a point update. Cheers, Moritz
I will then look into patch backporting for LTS and upload them to stretch, too, once I have got them worked out.
Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpbOkxgZ9nX4.pgp
Description: Digitale PGP-Signatur