On 1/15/22 7:45 AM, Marek Vasut wrote: > On 1/15/22 14:43, akuster808 wrote: >> >> >> On 1/11/22 8:57 PM, Marek Vasut wrote: >>> On 1/12/22 05:42, akuster808 wrote: >>>> >>>> >>>> On 1/11/22 2:47 PM, Marek Vasut wrote: >>>>> From: Khem Raj <[email protected]> >>>>> >>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) >>>>> Signed-off-by: Khem Raj <[email protected]> >>>>> Signed-off-by: Marek Vasut <[email protected]> >>>> >>>> And why should I allow this? >>> >>> This ... what ? The SoB line or the update ? >> >> What is in the update from 2.2.0 to 2.4.1? > > This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to > 2.4.1 , that's a later patch. I still see new features being added in 2.2.0 so the same statements apply. Until the process changes to allow package updates that include new features and functionality for a LTS branch, I am going to decline taking this patch series.
-armin > This one addresses quite a few old CVEs though, see below. > >> I had to look at the release notes myself and found new features being >> added between those two. New features are not allowed per our process. > > This should all be part of FreeRDP stable-2.0 branch > https://github.com/FreeRDP/FreeRDP/tree/stable-2.0 > > Their active development is happening toward 3.0 release, that's where > features are being added. > > Looking briefly at the debian changelog for the various CVEs this > patchset addresses, here is a list: > > https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog > > > freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium > > * New upstream release. > + CVE-2020-15103: Integer overflow due to missing input sanitation in > ... > > freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium > > * New upstream release. > - CVE-2020-4033: Out of bound read in RLEDECOMPRESS > - CVE-2020-4031: Use-After-Free in gdi_SelectObject > - CVE-2020-4032: Integer casting vulnerability in > `update_recv_secondary_order` > - CVE-2020-4030: OOB read in `TrioParse` > - CVE-2020-11099: OOB Read in > license_read_new_or_upgrade_license_packet > - CVE-2020-11098: Out-of-bound read in glyph_cache_put > - CVE-2020-11097: OOB read in ntlm_av_pair_get > - CVE-2020-11095: Global OOB read in update_recv_primary_order > - CVE-2020-11096: Global OOB read in > update_read_cache_bitmap_v3_order > ... > > freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium > > * New upstream release. (Closes: #999727). > - CVE-2021-41160: Fix improper region checks in all clients that > allowed > out of bound write to memory. (Closes: #1001062). > - CVE-2021-41159: Fix improper client input validation for gateway > connections that allowed one to overwrite memory. (Closes: > #1001061). > >> This patch set will not be included. > > I see you've made your decision then. > > How do you propose those CVEs be closed in dunfell then ? > > [...]
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#94884): https://lists.openembedded.org/g/openembedded-devel/message/94884 Mute This Topic: https://lists.openembedded.org/mt/88361250/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
