On 1/16/22 19:05, akuster808 wrote:
On 1/15/22 7:45 AM, Marek Vasut wrote:
On 1/15/22 14:43, akuster808 wrote:
On 1/11/22 8:57 PM, Marek Vasut wrote:
On 1/12/22 05:42, akuster808 wrote:
On 1/11/22 2:47 PM, Marek Vasut wrote:
From: Khem Raj <[email protected]>
(cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
Signed-off-by: Khem Raj <[email protected]>
Signed-off-by: Marek Vasut <[email protected]>
And why should I allow this?
This ... what ? The SoB line or the update ?
What is in the update from 2.2.0 to 2.4.1?
This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to
2.4.1 , that's a later patch.
I still see new features being added in 2.2.0 so the same statements
apply. Until the process changes to allow package updates that include
new features and functionality for a LTS branch, I am going to decline
taking this patch series.
What about the large amount of CVE fixes and the fact that this is still
a stable-2.0 branch update, not upgrade to 3.x , as explained below ?
This one addresses quite a few old CVEs though, see below.
I had to look at the release notes myself and found new features being
added between those two. New features are not allowed per our process.
This should all be part of FreeRDP stable-2.0 branch
https://github.com/FreeRDP/FreeRDP/tree/stable-2.0
Their active development is happening toward 3.0 release, that's where
features are being added.
Looking briefly at the debian changelog for the various CVEs this
patchset addresses, here is a list:
https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog
freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium
* New upstream release.
+ CVE-2020-15103: Integer overflow due to missing input sanitation in
...
freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium
* New upstream release.
- CVE-2020-4033: Out of bound read in RLEDECOMPRESS
- CVE-2020-4031: Use-After-Free in gdi_SelectObject
- CVE-2020-4032: Integer casting vulnerability in
`update_recv_secondary_order`
- CVE-2020-4030: OOB read in `TrioParse`
- CVE-2020-11099: OOB Read in
license_read_new_or_upgrade_license_packet
- CVE-2020-11098: Out-of-bound read in glyph_cache_put
- CVE-2020-11097: OOB read in ntlm_av_pair_get
- CVE-2020-11095: Global OOB read in update_recv_primary_order
- CVE-2020-11096: Global OOB read in
update_read_cache_bitmap_v3_order
...
freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium
* New upstream release. (Closes: #999727).
- CVE-2021-41160: Fix improper region checks in all clients that
allowed
out of bound write to memory. (Closes: #1001062).
- CVE-2021-41159: Fix improper client input validation for gateway
connections that allowed one to overwrite memory. (Closes:
#1001061).
This patch set will not be included.
I see you've made your decision then.
How do you propose those CVEs be closed in dunfell then ?
[...]
What about this ?
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#94886):
https://lists.openembedded.org/g/openembedded-devel/message/94886
Mute This Topic: https://lists.openembedded.org/mt/88361250/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
