Hello, There are currently 4 known vulnerabilities in FreeRDP, some of them with a high CVSS score (7.0 and above). The common to all is that they are affecting FreeRDP version 1.0.2. Unfortunately, this seems to be the latest version of FreeRDP marked as a stable release. I am reluctant to use a later beta version. Could someone tell if these vulnerabilities are at all relevant to Guacamole? Are they affecting FreeRDP functionality that Guacamole uses?
CVE-2014-0791 – in FreeRDP 1.0.2 Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet. CVE-2014-0250 – in FreeRDP 1.0.2, 1.0.1, 1.0.0 Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated. CVE-2013-4119 – in FreeRDP 1.0.2 FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished. CVE-2013-4118 – in FreeRDP 1.0.2 FreeRDP before 1.1.0-beta1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. Thanks, JonVol -- View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Are-known-security-vulnerabilities-in-FreeRDP-relevant-to-Guaucamole-tp1388.html Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
