Package        : freerdp
Version        : 1.1.0~git20140921.1.440916e+dfsg1-13~deb8u3
CVE ID         : CVE-2018-8786 CVE-2018-8787 CVE-2018-8788 CVE-2018-8789
Debian Bug     :


For the FreeRDP version in Debian jessie LTS a security and functionality
update has recently been provided. FreeRDP is a free re-implementation
of the Microsoft RDP protocol (server and client side) with freerdp-x11
being the most common RDP client these days.

Functional improvements:

     With help from FreeRDP upstream (cudos to Bernhard Miklautz and
     Martin Fleisz) we are happy to announce that RDP proto v6 and CredSSP
     v3 support have been backported to the old FreeRDP 1.1 branch.

     Since Q2/2018, Microsoft Windows servers and clients received an
     update that defaulted their RDP server to proto version 6. Since this
     change, people have not been able anymore to connect to recently
     updated MS Windows machines using old the FreeRDP 1.1 branch as found
     in Debian jessie LTS and Debian stretch.

     With the recent FreeRDP upload to Debian jessie LTS, connecting to
     up-to-date MS Windows machines is now again possible.

Security issues:

CVE-2018-8786

     FreeRDP contained an integer truncation that lead to a heap-based
     buffer overflow in function update_read_bitmap_update() and resulted
     in a memory corruption and probably even a remote code execution.

CVE-2018-8787

     FreeRDP contained an integer overflow that leads to a heap-based
     buffer overflow in function gdi_Bitmap_Decompress() and resulted in a
     memory corruption and probably even a remote code execution.

CVE-2018-8788

     FreeRDP contained an out-of-bounds write of up to 4 bytes in function
     nsc_rle_decode() that resulted in a memory corruption and possibly
     even a remote code execution.

CVE-2018-8789

     FreeRDP contained several out-of-bounds reads in the NTLM
     authentication module that resulted in a denial of service
     (segfault).


For Debian 8 "Jessie", these security problems have been fixed in version
1.1.0~git20140921.1.440916e+dfsg1-13~deb8u3.

We recommend that you upgrade your freerdp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-1666-1: freerdp security update

February 9, 2019
For the FreeRDP version in Debian jessie LTS a security and functionality update has recently been provided

Summary

Functional improvements:

With help from FreeRDP upstream (cudos to Bernhard Miklautz and
Martin Fleisz) we are happy to announce that RDP proto v6 and CredSSP
v3 support have been backported to the old FreeRDP 1.1 branch.

Since Q2/2018, Microsoft Windows servers and clients received an
update that defaulted their RDP server to proto version 6. Since this
change, people have not been able anymore to connect to recently
updated MS Windows machines using old the FreeRDP 1.1 branch as found
in Debian jessie LTS and Debian stretch.

With the recent FreeRDP upload to Debian jessie LTS, connecting to
up-to-date MS Windows machines is now again possible.

Security issues:

CVE-2018-8786

FreeRDP contained an integer truncation that lead to a heap-based
buffer overflow in function update_read_bitmap_update() and resulted
in a memory corruption and probably even a remote code execution.

CVE-2018-8787

FreeRDP contained an integer overflow that l...

Read the Full Advisory


Severity 
Package        : freerdp
Version : 1.1.0~git20140921.1.440916e+dfsg1-13~deb8u3
CVE ID : CVE-2018-8786 CVE-2018-8787 CVE-2018-8788 CVE-2018-8789
Debian Bug :

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved