* [Buildroot] [PATCH 1/1] package/freerdp: security bump to version 2.7.0
@ 2022-05-13 21:14 Fabrice Fontaine
2022-05-14 20:57 ` Peter Korsgaard
2022-05-29 8:13 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-05-13 21:14 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Fabrice Fontaine
Fix CVE-2022-24882: FreeRDP is a free implementation of the Remote
Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager
(NTLM) authentication does not properly abort when someone provides and
empty password value. This issue affects FreeRDP based RDP Server
implementations. RDP clients are not affected. The vulnerability is
patched in FreeRDP 2.7.0. There are currently no known workarounds.
Fix CVE-2022-24883: FreeRDP is a free implementation of the Remote
Desktop Protocol (RDP). Prior to version 2.7.0, server side
authentication against a `SAM` file might be successful for invalid
credentials if the server has configured an invalid `SAM` file path.
FreeRDP based clients are not affected. RDP server implementations using
FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0
contains a fix for this issue. As a workaround, use custom
authentication via `HashCallback` and/or ensure the `SAM` database path
configured is valid and the application has file handles left.
https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/freerdp/freerdp.hash | 4 ++--
package/freerdp/freerdp.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/freerdp/freerdp.hash b/package/freerdp/freerdp.hash
index 28e733aa2f..2b7aa25999 100644
--- a/package/freerdp/freerdp.hash
+++ b/package/freerdp/freerdp.hash
@@ -1,5 +1,5 @@
-# From https://pub.freerdp.com/releases/freerdp-2.6.1.tar.gz.sha256
-sha256 e4b3b93d102bc03164f592d26d7a06d6de648bf78b1e3dcbd8d62941431c1f28 freerdp-2.6.1.tar.gz
+# From https://pub.freerdp.com/releases/freerdp-2.7.0.tar.gz.sha256
+sha256 89000728b6e66ac37db018d6dc5f0981b530fd550ab748877ff42892dd0c166b freerdp-2.7.0.tar.gz
# Locally calculated
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
diff --git a/package/freerdp/freerdp.mk b/package/freerdp/freerdp.mk
index a1791b27f0..f4636724d3 100644
--- a/package/freerdp/freerdp.mk
+++ b/package/freerdp/freerdp.mk
@@ -4,7 +4,7 @@
#
################################################################################
-FREERDP_VERSION = 2.6.1
+FREERDP_VERSION = 2.7.0
FREERDP_SITE = https://pub.freerdp.com/releases
FREERDP_DEPENDENCIES = libglib2 openssl zlib
FREERDP_LICENSE = Apache-2.0
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/freerdp: security bump to version 2.7.0
2022-05-13 21:14 [Buildroot] [PATCH 1/1] package/freerdp: security bump to version 2.7.0 Fabrice Fontaine
@ 2022-05-14 20:57 ` Peter Korsgaard
2022-05-29 8:13 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-05-14 20:57 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Yann E . MORIN, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-24882: FreeRDP is a free implementation of the Remote
> Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager
> (NTLM) authentication does not properly abort when someone provides and
> empty password value. This issue affects FreeRDP based RDP Server
> implementations. RDP clients are not affected. The vulnerability is
> patched in FreeRDP 2.7.0. There are currently no known workarounds.
> Fix CVE-2022-24883: FreeRDP is a free implementation of the Remote
> Desktop Protocol (RDP). Prior to version 2.7.0, server side
> authentication against a `SAM` file might be successful for invalid
> credentials if the server has configured an invalid `SAM` file path.
> FreeRDP based clients are not affected. RDP server implementations using
> FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0
> contains a fix for this issue. As a workaround, use custom
> authentication via `HashCallback` and/or ensure the `SAM` database path
> configured is valid and the application has file handles left.
> https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/freerdp: security bump to version 2.7.0
2022-05-13 21:14 [Buildroot] [PATCH 1/1] package/freerdp: security bump to version 2.7.0 Fabrice Fontaine
2022-05-14 20:57 ` Peter Korsgaard
@ 2022-05-29 8:13 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-05-29 8:13 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Yann E . MORIN, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-24882: FreeRDP is a free implementation of the Remote
> Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager
> (NTLM) authentication does not properly abort when someone provides and
> empty password value. This issue affects FreeRDP based RDP Server
> implementations. RDP clients are not affected. The vulnerability is
> patched in FreeRDP 2.7.0. There are currently no known workarounds.
> Fix CVE-2022-24883: FreeRDP is a free implementation of the Remote
> Desktop Protocol (RDP). Prior to version 2.7.0, server side
> authentication against a `SAM` file might be successful for invalid
> credentials if the server has configured an invalid `SAM` file path.
> FreeRDP based clients are not affected. RDP server implementations using
> FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0
> contains a fix for this issue. As a workaround, use custom
> authentication via `HashCallback` and/or ensure the `SAM` database path
> configured is valid and the application has file handles left.
> https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-29 8:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-13 21:14 [Buildroot] [PATCH 1/1] package/freerdp: security bump to version 2.7.0 Fabrice Fontaine
2022-05-14 20:57 ` Peter Korsgaard
2022-05-29 8:13 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.