Prepare {old,}stable update of freerdp2
Hi @tobi,
As discussed on IRC, some freerdp2 CVEs have been fixed in buster but remain non-fixed in bullseye and/or bookworm. Those bookworm CVEs have been marked by the security team as `no-dsa, so they have no immediate plans to deal with them. And you are actually proposing to handle them via a full version upgrade as point release: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054915. Could you please continue coordinating with the maintainer and SRM to have an updated package included in the next point release (for CVEs affecting bookworm) and prepare a supplementary DLA (for CVEs affecting bullseye). Additionally, please keep the security team informed concerning this matter by mailing team@security.debian.org with a brief summary once a course of action has been agreed upon between yourself, the maintainer, and SRM (as applicable).
- Package: freerdp2
- DLA: DLA 3654-1 and DLA 3606-1
- Version in DLA: freerdp2/buster 2.3.0+dfsg1-2+deb10u3
- CVE(s):
CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347
CVE-2022-41877
CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589 - Fixed in: buster
- Still present in: bullseye and bookworm
Note that this package has been listed in dla-needed.txt, so make sure to claim it there as well when working on this issue.
TIA!