Summary: | net/freerdp: Update to 2.1.1 | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Vladimir Druzenko <vvd> | ||||||||||||||
Component: | Individual Port(s) | Assignee: | Kyle Evans <kevans> | ||||||||||||||
Status: | Closed FIXED | ||||||||||||||||
Severity: | Affects Many People | CC: | dpetrov67, hselasky, koobs, ports-secteam | ||||||||||||||
Priority: | Normal | Keywords: | needs-qa, security | ||||||||||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(kevans) koobs: merge-quarterly? |
||||||||||||||
Hardware: | Any | ||||||||||||||||
OS: | Any | ||||||||||||||||
URL: | https://github.com/FreeRDP/FreeRDP/releases/tag/2.1.1 | ||||||||||||||||
Attachments: |
|
Description
Vladimir Druzenko
2020-04-10 19:40:46 UTC
Looping hselasky@ in on this for points #1 and #2, as he's the libusb maintainer. Created attachment 214534 [details] Update to 2.1.0 Released 2.1.0 with a lot of CVE fixed: # 2020-05-05 Version 2.1.0 Important notes: * fix multiple CVEs: CVE-2020-11039, CVE-2020-11038, CVE-2020-11043, CVE-2020-11040, CVE-2020-11041, CVE-2020-11019, CVE-2020-11017, CVE-2020-11018 # 2020-04-09 Version 2.0.0 Important notes: * fix multiple CVEs: CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526 https://github.com/FreeRDP/FreeRDP/blob/2.1.0/ChangeLog Created attachment 214848 [details]
Update to 2.1.1
More CVEs.
2020-05-20 Version 2.1.1:
* CVE: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage
* CVE: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value
* CVE: GHSL-2020-102 OOB Write in crypto_rsa_common
Created attachment 214934 [details]
Update to 2.1.1
It was old file.
Created attachment 214940 [details]
svn(1) diff against the ports tree
Proposed VuXML entry.
Created attachment 214941 [details]
Proposed vuxml entry
Include the 2.1.1 vulns, too
FreeRDP patch LGTM; CC'ing koobs@ as my mentor. Can you confirm that you've ran this through testport? i was hoping Hans would pitch in on the libusb-related part, but alas; I'll poke him about it afterwards. Comment on attachment 214941 [details]
Proposed vuxml entry
@Kyle does the vuxml entry pass make validate? If so:
Approved by: koobs (mentor)
Looking over it again, the uwac part (O_TMPFILE) is a bit wrong for FreeBSD. It would have worked for testing because the open() call would fail, but I've submitted a more proper solution upstream [0] in case the invalid bit that's getting set eventually gets defined and breaks FreeRDP. I'm doing one last test build, then I will commit -- probably in the morning, because it's getting late and I'm still rebuilding llvm. [0] https://github.com/FreeRDP/FreeRDP/pull/626 (In reply to Kyle Evans from comment #9) > [0] https://github.com/FreeRDP/FreeRDP/pull/626 https://github.com/FreeRDP/FreeRDP/pull/6268 A commit references this bug: Author: kevans Date: Mon Jun 8 15:49:06 UTC 2020 New revision: 538227 URL: https://svnweb.freebsd.org/changeset/ports/538227 Log: security/vuxml: document new vulnerabilities in net/freerdp < 2.1.0 PR: 246931, 245517 Obtained from: https://github.com/FreeRDP/FreeRDP/blob/2.1.0/ChangeLog Approved by: koobs (mentor) Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: kevans Date: Mon Jun 8 15:51:57 UTC 2020 New revision: 538228 URL: https://svnweb.freebsd.org/changeset/ports/538228 Log: net/freerdp: update to 2.1.0 This update incorporates many features and improvements since 2.0.0-rc4, as well as a large mass of security fixes. Full changelog available: https://github.com/FreeRDP/FreeRDP/blob/2.1.0/ChangeLog PR: 245517 Approved by: koobs (mentor) MFH: 2020Q2 Security: 669f3fe8-a07a-11ea-b83e-f0def1f5c5a2 Changes: head/net/freerdp/Makefile head/net/freerdp/distinfo head/net/freerdp/files/mntent.h head/net/freerdp/files/patch-channels_urbdrc_client_libusb_libusb__udevice.h head/net/freerdp/files/patch-channels_urbdrc_client_libusb_libusb__udevman.c head/net/freerdp/pkg-plist Committed, thanks! (In reply to commit-hook from comment #12) > net/freerdp: update to 2.1.0 2.1.1 It's not so important, but patch-client_Wayland_CMakeLists.txt: -@@ -39,5 +39,12 @@ target_link_libraries(${MODULE_NAME} ${$ +@@ -46,5 +46,12 @@ target_link_libraries(${MODULE_NAME} ${$ patch-client_X11_CMakeLists.txt: -@@ -111,7 +111,11 @@ if(WITH_MANPAGES) +@@ -126,7 +126,11 @@ if(WITH_MANPAGES) A commit references this bug: Author: kevans Date: Wed Jun 17 02:14:25 UTC 2020 New revision: 539399 URL: https://svnweb.freebsd.org/changeset/ports/539399 Log: MFH: r538228 r538329 net/freerdp: update to 2.1.0 This update incorporates many features and improvements since 2.0.0-rc4, as well as a large mass of security fixes. Full changelog available: https://github.com/FreeRDP/FreeRDP/blob/2.1.0/ChangeLog PR: 245517 Approved by: koobs (mentor) Security: 669f3fe8-a07a-11ea-b83e-f0def1f5c5a2 net/freerdp: fix build on FreeBSD 11.x Apparently this hadn't been caught in my test matrix -- it seems that later versions of FreeBSD have a getmntent() definition that masked this error. mntent_compat.c has been adopted from devel/fam, though a better solution should be sought out going into the future. Approved by: koobs (mentor, implicit, just-fix-it) Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/net/freerdp/Makefile branches/2020Q2/net/freerdp/distinfo branches/2020Q2/net/freerdp/files/mntent.h branches/2020Q2/net/freerdp/files/mntent_compat.c branches/2020Q2/net/freerdp/files/patch-channels_rdpdr_client_CMakeLists.txt branches/2020Q2/net/freerdp/files/patch-channels_urbdrc_client_libusb_libusb__udevice.h branches/2020Q2/net/freerdp/files/patch-channels_urbdrc_client_libusb_libusb__udevman.c branches/2020Q2/net/freerdp/pkg-plist |