On 1/15/22 14:43, akuster808 wrote:
On 1/11/22 8:57 PM, Marek Vasut wrote:
On 1/12/22 05:42, akuster808 wrote:
On 1/11/22 2:47 PM, Marek Vasut wrote:
From: Khem Raj <[email protected]>
(cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
Signed-off-by: Khem Raj <[email protected]>
Signed-off-by: Marek Vasut <[email protected]>
And why should I allow this?
This ... what ? The SoB line or the update ?
What is in the update from 2.2.0 to 2.4.1?
This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to 2.4.1
, that's a later patch. This one addresses quite a few old CVEs though,
see below.
I had to look at the release notes myself and found new features being
added between those two. New features are not allowed per our process.
This should all be part of FreeRDP stable-2.0 branch
https://github.com/FreeRDP/FreeRDP/tree/stable-2.0
Their active development is happening toward 3.0 release, that's where
features are being added.
Looking briefly at the debian changelog for the various CVEs this
patchset addresses, here is a list:
https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog
freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium
* New upstream release.
+ CVE-2020-15103: Integer overflow due to missing input sanitation in
...
freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium
* New upstream release.
- CVE-2020-4033: Out of bound read in RLEDECOMPRESS
- CVE-2020-4031: Use-After-Free in gdi_SelectObject
- CVE-2020-4032: Integer casting vulnerability in
`update_recv_secondary_order`
- CVE-2020-4030: OOB read in `TrioParse`
- CVE-2020-11099: OOB Read in
license_read_new_or_upgrade_license_packet
- CVE-2020-11098: Out-of-bound read in glyph_cache_put
- CVE-2020-11097: OOB read in ntlm_av_pair_get
- CVE-2020-11095: Global OOB read in update_recv_primary_order
- CVE-2020-11096: Global OOB read in update_read_cache_bitmap_v3_order
...
freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium
* New upstream release. (Closes: #999727).
- CVE-2021-41160: Fix improper region checks in all clients that
allowed
out of bound write to memory. (Closes: #1001062).
- CVE-2021-41159: Fix improper client input validation for gateway
connections that allowed one to overwrite memory. (Closes: #1001061).
This patch set will not be included.
I see you've made your decision then.
How do you propose those CVEs be closed in dunfell then ?
[...]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#94871):
https://lists.openembedded.org/g/openembedded-devel/message/94871
Mute This Topic: https://lists.openembedded.org/mt/88361250/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
