Hi, On Mon, Feb 09, 2026 at 04:24:06PM +0300, Michael Tokarev wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:freerdp3 > User: [email protected] > Usertags: pu > > [ Reason ] > Initially there were 2 bugfixes for 2 severity-important bugs > from the BTS, plus retoration of freerdp icon display, and I > thought about pushing this release for 13.3. > > However, a large number of security fixes come in. > > So in addition to the above 3 fixes, there are also fixes for 29 > security issues, plus a small number of preparational patches, - > all picked up from the upstream git repository. > > The complete debdiff is over 400Kb in size. > I'm sorry for it being so large, but here we go. > > The list of actual security fixes with the links to complete > descriptions are in the changelog, below. > > This update should close all security issues found and later > fixed in forky. > > While picking up upstream fixes, I also picked up a few other > changes in the same areas, so the fixes applies cleanly and > don't require back-porting. In most such cases, the other > changes are harmless - like improving logging or rearranging > code a tiny bit to be less obscure - like clang-warnings-fix-Wjump- > misses-init-*.patch. In my opinion, in this case, such extra > changes does not hurt at all, but makes the actual fix to apply > cleanly and avoids extra possible mistakes while back-porting. > > One change, however, is more than that: this is a preparational > patch for CVE-2026-24677, rdpecam-fix-camera-sample-grabbing.patch. > It is a bugfix by its own, so I decided to pick it up too, since > it changes code in this area quite significantly, and back-porting > later fix becomes a real challenge. This patch should not do any > harm. > > [ Impact ] > This is a really large number of security issues, most of which > is about a malicious RDP server doing bad things. Even if in > many cases, the RDP server where a user connects to, can be sort > of trusted, it's not a good thing to have bug in this area. > > [ Tests ] > There aren't much testing done for this (huge) release. I only > verified the main xfreerdp3 client works in basic scenarious - > personally I use this release myself to access several versions > of windows RDP servers, it continues working as expected. > > There's one correction already, on top of CVE-2026-24491, which is > also included in this release, but it was found quite fast, and I > found it missing in my testing of the debian package. > > I haven't checked more advanced functionality though. Also, I > checked usage of the freerdp-client shared library only briefly > (with Gnome Connections). > > [ Risks ] > The risks with this release is relatively high, due to the large > amount of fixes being back-ported after a large number of other > changes in the code. So there's a trade-off between risks and > security issues. > > Due to this reason, it would be best if this release will sit in > trixie-proposed-updates for a while. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > See the top of debdiff. > > [ Other info ] > Since this release is mostly about security fixes, it might also > be worth considering pushing this through trixie-security. But > at the same time, due to relatively high risk of breaking something, > it might not be a good idea. Either way, I'm Cc'ing the Security > Team.
I think they should be fixed via the next point release, but have an upload ideally accepted early to give it exposure to testers for regressions. A minor nitpick: You cannot choose 3.15.0+dfsg-2+deb13u1 as version as 3.15.0+dfsg-2.1 is the version which is in stable. So that would be 3.15.0+dfsg-2.1+deb13u1 . Regards, Salvatore
