An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1515 Final 1.0 1.0 2024-04-26 Initial 2024-04-26 2024-04-26 openEuler SA Tool V1.0 2024-04-26 freerdp security update An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp. Security Fix(es): FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it is on by default).(CVE-2024-32039) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 and have connections to servers using the `NSC` codec are vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`).(CVE-2024-32040) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by default, set `/bpp` or `/rfx` options instead.(CVE-2024-32041) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes (on by default, require server side support).(CVE-2024-32458) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available.(CVE-2024-32459) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or `/gfx` options). The workaround requires server side support.(CVE-2024-32460) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32658) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32659) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32660) An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical freerdp https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32039 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32040 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32041 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32458 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32459 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32460 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32658 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32659 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-32660 https://nvd.nist.gov/vuln/detail/CVE-2024-32039 https://nvd.nist.gov/vuln/detail/CVE-2024-32040 https://nvd.nist.gov/vuln/detail/CVE-2024-32041 https://nvd.nist.gov/vuln/detail/CVE-2024-32458 https://nvd.nist.gov/vuln/detail/CVE-2024-32459 https://nvd.nist.gov/vuln/detail/CVE-2024-32460 https://nvd.nist.gov/vuln/detail/CVE-2024-32658 https://nvd.nist.gov/vuln/detail/CVE-2024-32659 https://nvd.nist.gov/vuln/detail/CVE-2024-32660 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 freerdp-devel-2.11.7-1.oe1.aarch64.rpm freerdp-debugsource-2.11.7-1.oe1.aarch64.rpm libwinpr-devel-2.11.7-1.oe1.aarch64.rpm freerdp-help-2.11.7-1.oe1.aarch64.rpm freerdp-2.11.7-1.oe1.aarch64.rpm freerdp-debuginfo-2.11.7-1.oe1.aarch64.rpm libwinpr-2.11.7-1.oe1.aarch64.rpm libwinpr-2.11.7-1.oe2003sp4.aarch64.rpm freerdp-debuginfo-2.11.7-1.oe2003sp4.aarch64.rpm freerdp-devel-2.11.7-1.oe2003sp4.aarch64.rpm freerdp-debugsource-2.11.7-1.oe2003sp4.aarch64.rpm freerdp-2.11.7-1.oe2003sp4.aarch64.rpm freerdp-help-2.11.7-1.oe2003sp4.aarch64.rpm libwinpr-devel-2.11.7-1.oe2003sp4.aarch64.rpm libwinpr-devel-2.11.7-1.oe2203.aarch64.rpm freerdp-2.11.7-1.oe2203.aarch64.rpm freerdp-debugsource-2.11.7-1.oe2203.aarch64.rpm libwinpr-2.11.7-1.oe2203.aarch64.rpm freerdp-debuginfo-2.11.7-1.oe2203.aarch64.rpm freerdp-help-2.11.7-1.oe2203.aarch64.rpm freerdp-devel-2.11.7-1.oe2203.aarch64.rpm freerdp-debuginfo-2.11.7-1.oe2203sp1.aarch64.rpm libwinpr-2.11.7-1.oe2203sp1.aarch64.rpm freerdp-2.11.7-1.oe2203sp1.aarch64.rpm freerdp-devel-2.11.7-1.oe2203sp1.aarch64.rpm freerdp-help-2.11.7-1.oe2203sp1.aarch64.rpm libwinpr-devel-2.11.7-1.oe2203sp1.aarch64.rpm freerdp-debugsource-2.11.7-1.oe2203sp1.aarch64.rpm freerdp-debugsource-2.11.7-1.oe2203sp2.aarch64.rpm libwinpr-2.11.7-1.oe2203sp2.aarch64.rpm freerdp-devel-2.11.7-1.oe2203sp2.aarch64.rpm libwinpr-devel-2.11.7-1.oe2203sp2.aarch64.rpm freerdp-debuginfo-2.11.7-1.oe2203sp2.aarch64.rpm freerdp-2.11.7-1.oe2203sp2.aarch64.rpm freerdp-help-2.11.7-1.oe2203sp2.aarch64.rpm freerdp-help-2.11.7-1.oe2203sp3.aarch64.rpm freerdp-debugsource-2.11.7-1.oe2203sp3.aarch64.rpm libwinpr-2.11.7-1.oe2203sp3.aarch64.rpm freerdp-debuginfo-2.11.7-1.oe2203sp3.aarch64.rpm freerdp-2.11.7-1.oe2203sp3.aarch64.rpm freerdp-devel-2.11.7-1.oe2203sp3.aarch64.rpm libwinpr-devel-2.11.7-1.oe2203sp3.aarch64.rpm freerdp-2.11.7-1.oe1.src.rpm freerdp-2.11.7-1.oe2003sp4.src.rpm freerdp-2.11.7-1.oe2203.src.rpm freerdp-2.11.7-1.oe2203sp1.src.rpm freerdp-2.11.7-1.oe2203sp2.src.rpm freerdp-2.11.7-1.oe2203sp3.src.rpm freerdp-2.11.7-1.oe1.x86_64.rpm libwinpr-2.11.7-1.oe1.x86_64.rpm freerdp-devel-2.11.7-1.oe1.x86_64.rpm freerdp-debugsource-2.11.7-1.oe1.x86_64.rpm libwinpr-devel-2.11.7-1.oe1.x86_64.rpm freerdp-debuginfo-2.11.7-1.oe1.x86_64.rpm freerdp-help-2.11.7-1.oe1.x86_64.rpm freerdp-2.11.7-1.oe2003sp4.x86_64.rpm freerdp-devel-2.11.7-1.oe2003sp4.x86_64.rpm libwinpr-2.11.7-1.oe2003sp4.x86_64.rpm freerdp-help-2.11.7-1.oe2003sp4.x86_64.rpm freerdp-debugsource-2.11.7-1.oe2003sp4.x86_64.rpm freerdp-debuginfo-2.11.7-1.oe2003sp4.x86_64.rpm libwinpr-devel-2.11.7-1.oe2003sp4.x86_64.rpm libwinpr-devel-2.11.7-1.oe2203.x86_64.rpm freerdp-2.11.7-1.oe2203.x86_64.rpm freerdp-debuginfo-2.11.7-1.oe2203.x86_64.rpm libwinpr-2.11.7-1.oe2203.x86_64.rpm freerdp-help-2.11.7-1.oe2203.x86_64.rpm freerdp-debugsource-2.11.7-1.oe2203.x86_64.rpm freerdp-devel-2.11.7-1.oe2203.x86_64.rpm freerdp-debuginfo-2.11.7-1.oe2203sp1.x86_64.rpm freerdp-2.11.7-1.oe2203sp1.x86_64.rpm freerdp-help-2.11.7-1.oe2203sp1.x86_64.rpm libwinpr-2.11.7-1.oe2203sp1.x86_64.rpm freerdp-devel-2.11.7-1.oe2203sp1.x86_64.rpm libwinpr-devel-2.11.7-1.oe2203sp1.x86_64.rpm freerdp-debugsource-2.11.7-1.oe2203sp1.x86_64.rpm libwinpr-devel-2.11.7-1.oe2203sp2.x86_64.rpm freerdp-help-2.11.7-1.oe2203sp2.x86_64.rpm freerdp-2.11.7-1.oe2203sp2.x86_64.rpm freerdp-debuginfo-2.11.7-1.oe2203sp2.x86_64.rpm freerdp-devel-2.11.7-1.oe2203sp2.x86_64.rpm freerdp-debugsource-2.11.7-1.oe2203sp2.x86_64.rpm libwinpr-2.11.7-1.oe2203sp2.x86_64.rpm freerdp-debugsource-2.11.7-1.oe2203sp3.x86_64.rpm freerdp-devel-2.11.7-1.oe2203sp3.x86_64.rpm freerdp-help-2.11.7-1.oe2203sp3.x86_64.rpm freerdp-2.11.7-1.oe2203sp3.x86_64.rpm freerdp-debuginfo-2.11.7-1.oe2203sp3.x86_64.rpm libwinpr-devel-2.11.7-1.oe2203sp3.x86_64.rpm libwinpr-2.11.7-1.oe2203sp3.x86_64.rpm FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it is on by default). 2024-04-26 CVE-2024-32039 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 and have connections to servers using the `NSC` codec are vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`). 2024-04-26 CVE-2024-32040 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by default, set `/bpp` or `/rfx` options instead. 2024-04-26 CVE-2024-32041 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes (on by default, require server side support). 2024-04-26 CVE-2024-32458 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available. 2024-04-26 CVE-2024-32459 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or `/gfx` options). The workaround requires server side support. 2024-04-26 CVE-2024-32460 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available. 2024-04-26 CVE-2024-32658 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available. 2024-04-26 CVE-2024-32659 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available. 2024-04-26 CVE-2024-32660 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H freerdp security update 2024-04-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1515