freerdp2-2.11.7-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14022 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z freerdp2-2.11.7-1.1 on GA media These are all security issues fixed in the freerdp2-2.11.7-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14022 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:14022 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-32039/ SUSE CVE CVE-2024-32039 page https://www.suse.com/security/cve/CVE-2024-32040/ SUSE CVE CVE-2024-32040 page https://www.suse.com/security/cve/CVE-2024-32041/ SUSE CVE CVE-2024-32041 page https://www.suse.com/security/cve/CVE-2024-32458/ SUSE CVE CVE-2024-32458 page https://www.suse.com/security/cve/CVE-2024-32459/ SUSE CVE CVE-2024-32459 page https://www.suse.com/security/cve/CVE-2024-32460/ SUSE CVE CVE-2024-32460 page openSUSE Tumbleweed freerdp2-2.11.7-1.1 freerdp2-devel-2.11.7-1.1 freerdp2-proxy-2.11.7-1.1 freerdp2-server-2.11.7-1.1 libfreerdp2-2-2.11.7-1.1 libwinpr2-2-2.11.7-1.1 winpr2-devel-2.11.7-1.1 freerdp2-2.11.7-1.1 as a component of openSUSE Tumbleweed freerdp2-devel-2.11.7-1.1 as a component of openSUSE Tumbleweed freerdp2-proxy-2.11.7-1.1 as a component of openSUSE Tumbleweed freerdp2-server-2.11.7-1.1 as a component of openSUSE Tumbleweed libfreerdp2-2-2.11.7-1.1 as a component of openSUSE Tumbleweed libwinpr2-2-2.11.7-1.1 as a component of openSUSE Tumbleweed winpr2-devel-2.11.7-1.1 as a component of openSUSE Tumbleweed FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it is on by default). CVE-2024-32039 openSUSE Tumbleweed:freerdp2-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-devel-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-proxy-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-server-2.11.7-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.11.7-1.1 openSUSE Tumbleweed:libwinpr2-2-2.11.7-1.1 openSUSE Tumbleweed:winpr2-devel-2.11.7-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32039.html CVE-2024-32039 https://bugzilla.suse.com/1223293 SUSE Bug 1223293 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 and have connections to servers using the `NSC` codec are vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`). CVE-2024-32040 openSUSE Tumbleweed:freerdp2-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-devel-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-proxy-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-server-2.11.7-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.11.7-1.1 openSUSE Tumbleweed:libwinpr2-2-2.11.7-1.1 openSUSE Tumbleweed:winpr2-devel-2.11.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32040.html CVE-2024-32040 https://bugzilla.suse.com/1223294 SUSE Bug 1223294 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by default, set `/bpp` or `/rfx` options instead. CVE-2024-32041 openSUSE Tumbleweed:freerdp2-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-devel-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-proxy-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-server-2.11.7-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.11.7-1.1 openSUSE Tumbleweed:libwinpr2-2-2.11.7-1.1 openSUSE Tumbleweed:winpr2-devel-2.11.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32041.html CVE-2024-32041 https://bugzilla.suse.com/1223295 SUSE Bug 1223295 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes (on by default, require server side support). CVE-2024-32458 openSUSE Tumbleweed:freerdp2-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-devel-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-proxy-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-server-2.11.7-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.11.7-1.1 openSUSE Tumbleweed:libwinpr2-2-2.11.7-1.1 openSUSE Tumbleweed:winpr2-devel-2.11.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32458.html CVE-2024-32458 https://bugzilla.suse.com/1223296 SUSE Bug 1223296 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available. CVE-2024-32459 openSUSE Tumbleweed:freerdp2-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-devel-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-proxy-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-server-2.11.7-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.11.7-1.1 openSUSE Tumbleweed:libwinpr2-2-2.11.7-1.1 openSUSE Tumbleweed:winpr2-devel-2.11.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32459.html CVE-2024-32459 https://bugzilla.suse.com/1223297 SUSE Bug 1223297 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or `/gfx` options). The workaround requires server side support. CVE-2024-32460 openSUSE Tumbleweed:freerdp2-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-devel-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-proxy-2.11.7-1.1 openSUSE Tumbleweed:freerdp2-server-2.11.7-1.1 openSUSE Tumbleweed:libfreerdp2-2-2.11.7-1.1 openSUSE Tumbleweed:libwinpr2-2-2.11.7-1.1 openSUSE Tumbleweed:winpr2-devel-2.11.7-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32460.html CVE-2024-32460 https://bugzilla.suse.com/1223298 SUSE Bug 1223298