oss-sec mailing list archives
Re: CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1 version
From: Bernhard Miklautz <bmiklautz () thinstuff at>
Date: Fri, 12 Jul 2013 02:55:49 +0200
Hi Kurt, On Thu, Jul 11, 2013 at 12:48:19PM -0600, Kurt Seifried wrote:
(some time ago) FreeRDP upstream has released 1.1.0-beta1 version: [1] http://sourceforge.net/mailarchive/message.php?msg_id=30591956
to clarify our current stable version is 1.0.2. FreeRDP version 1.1.0 is *beta* and still under development and therefore not stable or production ready and subject to frequent changes (as [1] also stated).
correcting multiple security flaws: * library / client side fixes: https://github.com/FreeRDP/FreeRDP/pull/887Can someone from upstream confirm if these are hardening or a security fix?
Hardening.
https://github.com/FreeRDP/FreeRDP/commit/0dc22d5a30a1c7d146b2a835b2032668127c33e9 https://github.com/FreeRDP/FreeRDP/commit/bceec083677a609ba2f06cc75924ab0accac5388Can someone from upstream confirm if these are hardening or a security fix?
Neither nor.
* server side fixes: https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7Please use CVE-2013-4118 for this issue.
https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53Please use CVE-2013-4119 for this issue.
There might also be some misunderstanding. The initial CVE request stated that 1.1.0-beta1 corrected these flaws but as a matter of fact only the commits from pull request 887 and commit 7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7 are contained. - The other issues are fixed in our git master branch. We've created a snapshot that contains all the fixes mentioned above: http://pub.freerdp.com/releases/freerdp-1.1.0-beta+2013071101.tar.gz md5: 108f8404b210ea789226cbca65c43724 sha1: a79d0174b0487abb900601c67572aa6dbfc12629 We will also review our current stable version to check if the issues exist there as well and publish an update if required. Thank you, best regards, Bernhard
Current thread:
- CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1 version Jan Lieskovsky (Jul 10)
- Re: CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1 version Kurt Seifried (Jul 11)
- Re: CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1 version Bernhard Miklautz (Jul 12)
- Re: CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1 version Kurt Seifried (Jul 11)