Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476440 (CVE-2013-4118) - <net-misc/freerdp-1.1.0_beta1: Multiple vulnerabilities (CVE-2013-4118, CVE-2013-4119)
Summary: <net-misc/freerdp-1.1.0_beta1: Multiple vulnerabilities (CVE-2013-4118, CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2013-4118
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-10 19:01 UTC by Agostino Sarubbo
Modified: 2014-06-20 13:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-10 19:01:37 UTC
From ${URL} :

FreeRDP upstream has released 1.1.0-beta1 version:
  [1] http://sourceforge.net/mailarchive/message.php?msg_id=30591956

correcting multiple security flaws:
* library / client side fixes:
    https://github.com/FreeRDP/FreeRDP/pull/887
    https://github.com/FreeRDP/FreeRDP/commit/0dc22d5a30a1c7d146b2a835b2032668127c33e9
    https://github.com/FreeRDP/FreeRDP/commit/bceec083677a609ba2f06cc75924ab0accac5388

* server side fixes:
    https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7
    https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-11 00:59:37 UTC
1.1.0-beta1_p20130605 is in tree and should be ready to stable, @maintainer: please ack a stable. CVE not assigned yet.
Comment 2 Mike Gilbert gentoo-dev 2013-07-11 02:00:37 UTC
We can stabilize freerdp-1.1.0_beta1. Please do NOT remove the previous version as net-misc/remmina depends on it.

I will see if I can get a new version of remmina in the tree later this week.
Comment 3 Mike Gilbert gentoo-dev 2013-07-11 02:03:10 UTC
Actually, please hold off on stabilization until I can get a compatible version of remmina in the tree.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-11 21:22:41 UTC
CVEs assigned, might be more coming.
Comment 5 Mike Gilbert gentoo-dev 2013-07-13 20:25:51 UTC
Ok, I have dealt with remmina by dropping its stable keywords due to an unresponsive upstream.

Let's proceed with stabilization on amd64 and x86.

=net-misc/freerdp-1.1.0_beta1
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-13 21:24:59 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-13 21:25:53 UTC
x86 stable
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-14 20:39:19 UTC
net-misc/remmina was taken out of stable  So we need to add net-misc/remmina-1.0.0_p20130625 to the stablereq?
Comment 9 Mike Gilbert gentoo-dev 2013-07-14 22:09:58 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #8)

I do not intend to re-stabilize any version remmina unless someone starts maintaining it upstream.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-19 02:37:03 UTC
GLSA Vote: No
Comment 11 Sergey Popov gentoo-dev 2014-06-20 13:44:29 UTC
GLSA vote: no

Closing as noglsa