[FreeRDP-devel] FreeRDP release 2.9.0

Bernhard Miklautz via FreeRDP-devel Wed, 16 Nov 2022 07:59:33 -0800

Hi,

FreeRDP version 2.9.0 was just released:


As usual, the archive can be downloaded from:

https://pub.freerdp.com/releases/


2.9.0 is security and maintenance release.

Team BT5 (BoB 11th) has identified and reported the following security related 
client side issues that could possibly be utilized with a malicious RDP server:

* CVE-2022-39319 - Missing length validation in urbdrc channel (moderate)
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh

* CVE-2022-39320 - Heap buffer overflow in urbdrc channel (moderate)
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j

* CVE-2022-39316 - Out of bound read in zgfx decoder
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm

* CVE-2022-39317 - Undefined behaviour in zgfx decoder
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh

* CVE-2022-39318 - Division by zero in urbdrc channel
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35

* CVE-2022-41877 - Missing input length validation in `drive` channel
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h

* CVE-2022-39347 - Missing path sanitation with `drive` channel
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg

Many thanks to Team BT5 (BoB 11th) for reporting.


Fixed issues:

* #8341: Null checks in winpr_Digest_Free
* #8335: Missing NULL return in winpr_Digest_New
* #8192: Support for audin version 2 microphone channel
* #7282: Discard input events before activation (Fixes #8374)


Noteworthy changes:

* #8252: Support sending server redirection PDU
* #8406: Ensure X11 client cursor is never smaller 1x1
* #7282: Proxy server now discards input events sent before
  activation was received
* #8324: Internal replacements for md4, md5 and hmac-md5
  For the time being the RDP protocol requires these outdated hash
  algorithms. So any distribution that wants to ship a working
  FreeRDP should check the options WITH_INTERNAL_MD4 (and depending
  on OpenSSL deprecation status WITH_INTERNAL_MD5)

If you are using an older release of FreeRDP we recommend upgrading to
2.9.0.                                                                          
                                                            


Best regards,
the FreeRDP team.


_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel

[FreeRDP-devel] FreeRDP release 2.9.0

Reply via email to