Hi, On 01/06/2020 14:17, Holger Levsen wrote: > On Mon, Jun 01, 2020 at 10:55:02AM +0000, Mike Gabriel wrote: >> Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable >> effort. IMHO, we should think about avoiding this. > > what does 'considerable effort' translate to? > > without knowing that, it's a bit hard to comment. > >> With the end of jessie LTS and the upcoming of stretch LTS, I'd like to >> propose the following changes for FreeRDP in old versions of Debian: >> >> * EOL freerdp 1.1 for jessie (E)LTS >> -> impacts: jessie ELTS won't have any version of FreeRDP >> >> * consider EOL'ing freerdp 1.1 for stretch LTS >> -> impacts: ltsp-client (easy to resolve, it can use freerdp2) >> -> impacts: medusa (resolve by dropping freerdp support) >> -> impacts: vlc-plugin-access-extra (drop freerdp support) > > fine by me (despite the comment above!), if you decide to do so, please also > document this in debian-security-support.git - I'll handle d-s-s uploads then.
AFAICS most issues are minor (OOB read) and need not be fixed urgently; the proposed changes impact users, multiple packages, and involve backports / break stability. Candid question: what would be the downsides/limitations of fixing the few medium/high vulnerabilities in freerdp and leave it that way? Cheers! Sylvain
