An update for freerdp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1424 Final 1.0 1.0 2021-11-09 Initial 2021-11-09 2021-11-09 openEuler SA Tool V1.0 2021-11-09 freerdp security update An update for freerdp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp. Security Fix(es): FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.(CVE-2021-41160) An update for freerdp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium freerdp https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1424 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-41160 https://nvd.nist.gov/vuln/detail/CVE-2021-41160 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 freerdp-2.4.1-1.oe1.aarch64.rpm freerdp-debuginfo-2.4.1-1.oe1.aarch64.rpm freerdp-help-2.4.1-1.oe1.aarch64.rpm libwinpr-2.4.1-1.oe1.aarch64.rpm libwinpr-devel-2.4.1-1.oe1.aarch64.rpm freerdp-debugsource-2.4.1-1.oe1.aarch64.rpm freerdp-devel-2.4.1-1.oe1.aarch64.rpm freerdp-debugsource-2.4.1-1.oe1.aarch64.rpm freerdp-help-2.4.1-1.oe1.aarch64.rpm libwinpr-2.4.1-1.oe1.aarch64.rpm freerdp-2.4.1-1.oe1.aarch64.rpm freerdp-devel-2.4.1-1.oe1.aarch64.rpm libwinpr-devel-2.4.1-1.oe1.aarch64.rpm freerdp-debuginfo-2.4.1-1.oe1.aarch64.rpm freerdp-2.4.1-1.oe1.src.rpm freerdp-2.4.1-1.oe1.src.rpm libwinpr-devel-2.4.1-1.oe1.x86_64.rpm freerdp-devel-2.4.1-1.oe1.x86_64.rpm freerdp-debugsource-2.4.1-1.oe1.x86_64.rpm freerdp-2.4.1-1.oe1.x86_64.rpm freerdp-help-2.4.1-1.oe1.x86_64.rpm libwinpr-2.4.1-1.oe1.x86_64.rpm freerdp-debuginfo-2.4.1-1.oe1.x86_64.rpm libwinpr-2.4.1-1.oe1.x86_64.rpm freerdp-help-2.4.1-1.oe1.x86_64.rpm freerdp-debuginfo-2.4.1-1.oe1.x86_64.rpm freerdp-devel-2.4.1-1.oe1.x86_64.rpm libwinpr-devel-2.4.1-1.oe1.x86_64.rpm freerdp-2.4.1-1.oe1.x86_64.rpm freerdp-debugsource-2.4.1-1.oe1.x86_64.rpm FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1. 2021-11-09 CVE-2021-41160 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 Medium 6.0 AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N freerdp security update 2021-11-09 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1424