Hi,

All xpra versions prior to today's releases are vulnerable to at least one full remote command execution bug.

The most serious bug requires little user intervention to gain full access to the system. Removing xpra's URL handler association may not be sufficient to protect from this bug.

The other vulnerabilities are only slightly less serious, and can still lead to a client system being compromised. They can be mitigated by turning off the `file-transfer` and `printing` options.

Please update all your clients as soon as possible.
The fixed versions available today are v6.5.1:
https://github.com/Xpra-org/xpra/releases/tag/v6.5.1
And v5.1.6 LTS:
https://github.com/Xpra-org/xpra/releases/tag/v5.1.6

Cheers,
Antoine
_______________________________________________
shifter-users mailing list
[email protected]
https://lists.devloop.org.uk/mailman/listinfo/shifter-users

Reply via email to