Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Thu, 20 Dec 2018 13:06:05 +0100
Message-id: <[🔎] 154530756527.25619.4386885243792719343.reportbug@minobo.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 916912@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu


Dear Debian stretch Release Team,

in Debian LTS, we are currently discussing a complex update of the
freerdp (v1.1) package. The current status is this:

  * since March 2018 freerdp in stretch (and jessie) (Git
    snapshot of never released v1.1) is unusable against
    latest Windows servers.
    All Windows OS versions switched to RDP proto version 6
    plus CredSSP version 3) and the freerdp versions in Debian
    jessie/stretch do not support that.
  * for people using Debian stretch, the only viable work-around
    is using freerdp2 from stretch-backports.
  * people using Debian jessie LTS don't have any options (except
    from upgrading to stretch and using freerdp2 from stretch-bpo).
  * currently, we know of four unfixed CVE issues in freerdp (v1.1)
    (that are fixed in buster's freerdp2.

With my Debian LTS contributor hat on, I have started working on the open
freerdp CVE issues (which luckily appeared in a Ubuntu security update,
so not much work on this side) _and_ ...

... I have started backporting the required patches (at least these:
[1,2,3]) to get RDP proto version 6 working in Debian jessie's freerdp
v1.1 version.

This complete endeavour for LTS only makes sense if the stable release
team is open to accepting such a complex change to Debian stretch, too.

While working on these patches, I regularly get feedback from FreeRDP
upstream developer Bernhard Miklautz.

The Git version [4] of the proposed upload is not yet ready. After
feedback from Bernhard, I will have to backport various WinPR API calls
that are used around the RDP proto v6 implementation. So this whole thing
is still work in progress.

The reason for this mail is: if the stable release team declines this
update, then we neither will bring it to Debian jessie LTS.

Please give me a beacon single (mainly a "yes, go ahead", or a "no, no
way!").

Please let me know, if you need more info to consider. 

Cheers,
Mike

[1] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0010_add-support-for-credssp-version-3.patch
[2] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0011_add-support-for-proto-version-6.patch
[3] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0012-fix-nla-don-t-use-server-version.patch
[4] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/tree/debian/stretch/updates

-- System Information:
Debian Release: 9.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Prev by Date: Re: policykit-1 CVE-2018-19788 in jessie
Next by Date: Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
Previous by thread: Re: policykit-1 CVE-2018-19788 in jessie
Next by thread: monthly report
Index(es):
- Date
- Thread