freerdp-2.4.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11591-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z freerdp-2.4.1-1.1 on GA media These are all security issues fixed in the freerdp-2.4.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11591 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-41159/ SUSE CVE CVE-2021-41159 page https://www.suse.com/security/cve/CVE-2021-41160/ SUSE CVE CVE-2021-41160 page openSUSE Tumbleweed freerdp-2.4.1-1.1 freerdp-devel-2.4.1-1.1 freerdp-proxy-2.4.1-1.1 freerdp-server-2.4.1-1.1 freerdp-wayland-2.4.1-1.1 libfreerdp2-2-2.4.1-1.1 libuwac0-0-2.4.1-1.1 libwinpr2-2-2.4.1-1.1 uwac0-0-devel-2.4.1-1.1 winpr-devel-2.4.1-1.1 freerdp-2.4.1-1.1 as a component of openSUSE Tumbleweed freerdp-devel-2.4.1-1.1 as a component of openSUSE Tumbleweed freerdp-proxy-2.4.1-1.1 as a component of openSUSE Tumbleweed freerdp-server-2.4.1-1.1 as a component of openSUSE Tumbleweed freerdp-wayland-2.4.1-1.1 as a component of openSUSE Tumbleweed libfreerdp2-2-2.4.1-1.1 as a component of openSUSE Tumbleweed libuwac0-0-2.4.1-1.1 as a component of openSUSE Tumbleweed libwinpr2-2-2.4.1-1.1 as a component of openSUSE Tumbleweed uwac0-0-devel-2.4.1-1.1 as a component of openSUSE Tumbleweed winpr-devel-2.4.1-1.1 as a component of openSUSE Tumbleweed FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections (`/gt:rpc`) fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use `/gt:http` rather than /gt:rdp connections if possible or use a direct connection without a gateway. CVE-2021-41159 openSUSE Tumbleweed:freerdp-2.4.1-1.1 openSUSE Tumbleweed:freerdp-devel-2.4.1-1.1 openSUSE Tumbleweed:freerdp-proxy-2.4.1-1.1 openSUSE Tumbleweed:freerdp-server-2.4.1-1.1 openSUSE Tumbleweed:freerdp-wayland-2.4.1-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.4.1-1.1 openSUSE Tumbleweed:libuwac0-0-2.4.1-1.1 openSUSE Tumbleweed:libwinpr2-2-2.4.1-1.1 openSUSE Tumbleweed:uwac0-0-devel-2.4.1-1.1 openSUSE Tumbleweed:winpr-devel-2.4.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41159.html CVE-2021-41159 https://bugzilla.suse.com/1191895 SUSE Bug 1191895 FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1. CVE-2021-41160 openSUSE Tumbleweed:freerdp-2.4.1-1.1 openSUSE Tumbleweed:freerdp-devel-2.4.1-1.1 openSUSE Tumbleweed:freerdp-proxy-2.4.1-1.1 openSUSE Tumbleweed:freerdp-server-2.4.1-1.1 openSUSE Tumbleweed:freerdp-wayland-2.4.1-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.4.1-1.1 openSUSE Tumbleweed:libuwac0-0-2.4.1-1.1 openSUSE Tumbleweed:libwinpr2-2-2.4.1-1.1 openSUSE Tumbleweed:uwac0-0-devel-2.4.1-1.1 openSUSE Tumbleweed:winpr-devel-2.4.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41160.html CVE-2021-41160 https://bugzilla.suse.com/1191895 SUSE Bug 1191895