Does anyone have a build for Windows ready to download? Thanks, Joachim -----Ursprüngliche Nachricht----- Von: Bernhard Miklautz via FreeRDP-devel <freerdp-devel@lists.sourceforge.net> Gesendet: Mittwoch, 16. November 2022 16:56 An: freerdp-devel@lists.sourceforge.net Betreff: [FreeRDP-devel] FreeRDP release 2.9.0
Hi, FreeRDP version 2.9.0 was just released: As usual, the archive can be downloaded from: https://pub.freerdp.com/releases/ 2.9.0 is security and maintenance release. Team BT5 (BoB 11th) has identified and reported the following security related client side issues that could possibly be utilized with a malicious RDP server: * CVE-2022-39319 - Missing length validation in urbdrc channel (moderate) https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh * CVE-2022-39320 - Heap buffer overflow in urbdrc channel (moderate) https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j * CVE-2022-39316 - Out of bound read in zgfx decoder https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm * CVE-2022-39317 - Undefined behaviour in zgfx decoder https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh * CVE-2022-39318 - Division by zero in urbdrc channel https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35 * CVE-2022-41877 - Missing input length validation in `drive` channel https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h * CVE-2022-39347 - Missing path sanitation with `drive` channel https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg Many thanks to Team BT5 (BoB 11th) for reporting. Fixed issues: * #8341: Null checks in winpr_Digest_Free * #8335: Missing NULL return in winpr_Digest_New * #8192: Support for audin version 2 microphone channel * #7282: Discard input events before activation (Fixes #8374) Noteworthy changes: * #8252: Support sending server redirection PDU * #8406: Ensure X11 client cursor is never smaller 1x1 * #7282: Proxy server now discards input events sent before activation was received * #8324: Internal replacements for md4, md5 and hmac-md5 For the time being the RDP protocol requires these outdated hash algorithms. So any distribution that wants to ship a working FreeRDP should check the options WITH_INTERNAL_MD4 (and depending on OpenSSL deprecation status WITH_INTERNAL_MD5) If you are using an older release of FreeRDP we recommend upgrading to 2.9.0. Best regards, the FreeRDP team. _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
