Summary: | <net-misc/freerdp-2.9.0: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | floppym |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/FreeRDP/FreeRDP/releases/tag/2.9.0 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 881835 | ||
Bug Blocks: |
Description
John Helmert III
2022-11-16 17:07:04 UTC
see also BugĀ 881695 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f3a6469bc2be992e106945747c997e5819d5f7d commit 0f3a6469bc2be992e106945747c997e5819d5f7d Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-11-17 21:20:03 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-11-18 20:43:22 +0000 net-misc/freerdp: add 2.9.0 Bug: https://bugs.gentoo.org/881525 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-misc/freerdp/Manifest | 1 + net-misc/freerdp/freerdp-2.9.0.ebuild | 124 ++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) (In reply to John Helmert III from comment #0) > Release notes say: > > "* Backported #8403: Fixed multiple client side input validation issues > (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319, > CVE-2022-39320, CVE-2022-41877, CVE-2022-39347)" > > TRUE and a FALSE, so I'd be very surprised if this fixes 7 different > CVEs. Nevertheless, please bump to 2.9.0 Hm, my script mangled my comment. I meant to say that the patch (https://github.com/FreeRDP/FreeRDP/pull/8403/files) only flip-flops a TRUE and a FALSE, so I'd be very surprised if this fixes 7 different CVEs. Anyway, thank you for bumping! Please stabilize when ready. Any idea about the impact? (In reply to John Helmert III from comment #3) I think they simply referenced the wrong PR for the CVE fixes. This one appears to be more relevant: https://github.com/FreeRDP/FreeRDP/pull/8380 Relevant GHSA links, along with the severity: CVE-2022-39316 Low https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm CVE-2022-39317 Low https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh CVE-2022-39318 Low https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35 CVE-2022-39319 Moderate https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh CVE-2022-39320 Moderate https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j CVE-2022-39347 Low https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg CVE-2022-41877 Low https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h The NIST NVD rates these as significantly more severe than the GHSA ratings. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=454346cf7827cb35639b0cc80cdb114d2d6755e7 commit 454346cf7827cb35639b0cc80cdb114d2d6755e7 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-12-06 16:47:44 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-12-06 16:47:44 +0000 net-misc/freerdp: drop 2.8.1 Bug: https://bugs.gentoo.org/881525 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-misc/freerdp/Manifest | 1 - net-misc/freerdp/freerdp-2.8.1.ebuild | 127 ---------------------------------- 2 files changed, 128 deletions(-) Thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=0bd76dc2009147dbb24e9f25ef0c1928a1d99371 commit 0bd76dc2009147dbb24e9f25ef0c1928a1d99371 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-12 11:46:37 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-12 11:46:59 +0000 [ GLSA 202401-16 ] FreeRDP: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/881525 Bug: https://bugs.gentoo.org/918546 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-16.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) |