Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: debian-lts@lists.debian.org, team@security.debian.org, bernhard.miklautz@shacknet.at
Subject: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Tue, 11 Dec 2018 22:15:33 +0100
Message-id: <[🔎] 20181211211533.GA17302@pisco.westfalen.local>
In-reply-to: <[🔎] 20181211164217.Horde.BMLtplE-WKNzTGYlqc4eve4@mail.das-netzwerkteam.de>
References: <[🔎] 20181210174451.Horde.B1NfVFfMb9XLz02NBYRJxA5@mail.das-netzwerkteam.de> <[🔎] 20181210213034.GB15274@pisco.westfalen.local> <[🔎] 20181211164217.Horde.BMLtplE-WKNzTGYlqc4eve4@mail.das-netzwerkteam.de>

On Tue, Dec 11, 2018 at 04:42:17PM +0000, Mike Gabriel wrote:
> From my understanding the potential remote code executions that are
> mentioned in the CVE descriptions are triggered by a malign server and the
> code executions then happen on the client side.

Thanks for background.

Security issues only triggerable by a malicious RDP server are
low impact, a malicious RDP server can mess with you in so many
ways that client-side execution doesn't make a big difference.

This is certainly not something that would warrant an upgrade to
freerdp2 in a stable release, but if patches for 1.1 materialise
they could be shipped via a point update.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Jan Ingvoldstad <jan-debian-lts-2014@oyet.no>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

References:
- Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Next by Date: Re: Possible patch-backport problem for libphp-phpmailer (DLA-1591-1)
Previous by thread: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Next by thread: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Index(es):
- Date
- Thread