Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

To: jmm@inutil.org
Cc: team@security.debian.org, bernhard.miklautz@shacknet.at, debian-lts@lists.debian.org
Subject: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 12 Dec 2018 18:40:51 +0000
Message-id: <[🔎] 20181212194052.Horde.jCMk-9ijHlSFeKN-wkidE7Z@mail.das-netzwerkteam.de>
In-reply-to: <[🔎] 20181212155201.GB19317@pisco.westfalen.local>
References: <[🔎] 20181210174451.Horde.B1NfVFfMb9XLz02NBYRJxA5@mail.das-netzwerkteam.de> <[🔎] 20181210213034.GB15274@pisco.westfalen.local> <[🔎] 20181211164217.Horde.BMLtplE-WKNzTGYlqc4eve4@mail.das-netzwerkteam.de> <[🔎] 20181211211533.GA17302@pisco.westfalen.local> <[🔎] 20181212154610.Horde.CZlA6HUaeVtAhXHVJ-W8P72@mail.das-netzwerkteam.de> <[🔎] 20181212155201.GB19317@pisco.westfalen.local>

Hi Moritz,

On Wednesday, 12 December 2018, Moritz Mühlenhoff wrote:
> On Wed, Dec 12, 2018 at 03:46:10PM +0000, Mike Gabriel wrote:
> > Hi Moritz,
> > 
> > On  Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:
> > 
> > > On Tue, Dec 11, 2018 at 04:42:17PM +0000, Mike Gabriel wrote:
> > > > From my understanding the potential remote code executions that are
> > > > mentioned in the CVE descriptions are triggered by a malign server and the
> > > > code executions then happen on the client side.
> > > 
> > > Thanks for background.
> > > 
> > > Security issues only triggerable by a malicious RDP server are
> > > low impact, a malicious RDP server can mess with you in so many
> > > ways that client-side execution doesn't make a big difference.
> > > 
> > > This is certainly not something that would warrant an upgrade to
> > > freerdp2 in a stable release, but if patches for 1.1 materialise
> > > they could be shipped via a point update.
> > > 
> > > Cheers,
> > >         Moritz
> > 
> > I will then look into patch backporting for LTS and upload them to stretch,
> > too, once I have got them worked out.
> 
> Ubuntu released an update earlier the day which also covered the 1.x
> versions, BTW.
> 

Nice! That will ease my day...

Mike

-- 
Sent from my Jolla

Reply to:

References:
- Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Next by Date: Re: openssl 1.0 support on stretch LTS
Previous by thread: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Next by thread: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Index(es):
- Date
- Thread