Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
On Wed, Dec 12, 2018 at 03:46:10PM +0000, Mike Gabriel wrote:
> Hi Moritz,
> On Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:
> > On Tue, Dec 11, 2018 at 04:42:17PM +0000, Mike Gabriel wrote:
> > > From my understanding the potential remote code executions that are
> > > mentioned in the CVE descriptions are triggered by a malign server and the
> > > code executions then happen on the client side.
> > Thanks for background.
> > Security issues only triggerable by a malicious RDP server are
> > low impact, a malicious RDP server can mess with you in so many
> > ways that client-side execution doesn't make a big difference.
> > This is certainly not something that would warrant an upgrade to
> > freerdp2 in a stable release, but if patches for 1.1 materialise
> > they could be shipped via a point update.
> > Cheers,
> > Moritz
> I will then look into patch backporting for LTS and upload them to stretch,
> too, once I have got them worked out.
Ubuntu released an update earlier the day which also covered the 1.x