On Tue, Jun 11, 2019 at 09:22:30PM +0200, Salvatore Bonaccorso wrote:
> Source: rdesktop
> Version: 1.8.4-1
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
> Control: fixed -1 1.8.6-1
>
> Hi
>
> 1.8.6-1 mentions a new upstream release with many security fixes, but
> none of those apparently have (yet) a CVE. Filling this bug for having
> an unique identifier for the tracker in meanwhile.
>
> Reference:
> https://tracker.debian.org/news/1041036/accepted-rdesktop-186-1-source-into-unstable/
AFAICS there is not clear information on which issues are fixed
exactly,
https://groups.google.com/forum/#!topic/rdesktop-announce/czgpKDfm2D0
is a bit scarce on information.
Probably if we are going to release a stretch-security update it might
be worth doing an import of 1.8.6 for the security update itself and
moving from 1.8.4-1~deb9u1 to the new upstream version.
Regards,
Salvatore
