A security update for FreeRDP2, an implementation of the Remote Desktop Protocol, has been released for Debian GNU/Linux 10 (Buster) under Extended LTS, identified as ELA-1483-1. This update addresses several vulnerabilities that could potentially compromise the security and stability of systems using FreeRDP2.
The updated package version is 2.3.0+dfsg1-2+deb11u3~deb10u1 and it resolves multiple issues related to various CVEs (Common Vulnerabilities and Exposures). Notably, the vulnerabilities include:
- CVE-2022-24882: Inadequate parameter checking in the server-side NTLM.
- CVE-2022-39320: A heap buffer overflow in the urbdrc channel.
- CVE-2024-22211: An integer overflow in freerdp_bitmap_planar_context_reset.
- CVE-2024-32039: Integer overflow and out-of-bounds write in clear_decompress_residual_data.
- CVE-2024-32040: Integer underflow in nsc_rle_decode.
- CVE-2024-32041: Out-of-bounds read in zgfx_decompress_segment.
- CVE-2024-32458: Out-of-bounds read in planar_skip_plane_rle.
- CVE-2024-32459: Out-of-bounds read in ncrush_decompress.
- CVE-2024-32460: Out-of-bounds read in interleaved_decompress.
- CVE-2024-32658: Out-of-bounds read in ExtractRunLengthRegular*.
- CVE-2024-32659: Out-of-bounds read in freerdp_image_copy.
- CVE-2024-32660: Out of memory condition in zgfx_decompress.
- CVE-2024-32661: NULL dereference in rdp_write_logon_info_v1.
The update is essential for users of FreeRDP2 on Debian 10 to ensure their systems remain secure against the aforementioned vulnerabilities. It is recommended that users apply the update as soon as possible to mitigate the risks posed by these security flaws.
Additionally, it is crucial for system administrators to stay vigilant and regularly check for updates to their software packages, especially those related to security, to protect their environments from potential threats. Implementing regular security audits and using security tools can further enhance the overall security posture of systems running FreeRDP2 and other software
The updated package version is 2.3.0+dfsg1-2+deb11u3~deb10u1 and it resolves multiple issues related to various CVEs (Common Vulnerabilities and Exposures). Notably, the vulnerabilities include:
- CVE-2022-24882: Inadequate parameter checking in the server-side NTLM.
- CVE-2022-39320: A heap buffer overflow in the urbdrc channel.
- CVE-2024-22211: An integer overflow in freerdp_bitmap_planar_context_reset.
- CVE-2024-32039: Integer overflow and out-of-bounds write in clear_decompress_residual_data.
- CVE-2024-32040: Integer underflow in nsc_rle_decode.
- CVE-2024-32041: Out-of-bounds read in zgfx_decompress_segment.
- CVE-2024-32458: Out-of-bounds read in planar_skip_plane_rle.
- CVE-2024-32459: Out-of-bounds read in ncrush_decompress.
- CVE-2024-32460: Out-of-bounds read in interleaved_decompress.
- CVE-2024-32658: Out-of-bounds read in ExtractRunLengthRegular*.
- CVE-2024-32659: Out-of-bounds read in freerdp_image_copy.
- CVE-2024-32660: Out of memory condition in zgfx_decompress.
- CVE-2024-32661: NULL dereference in rdp_write_logon_info_v1.
The update is essential for users of FreeRDP2 on Debian 10 to ensure their systems remain secure against the aforementioned vulnerabilities. It is recommended that users apply the update as soon as possible to mitigate the risks posed by these security flaws.
Additionally, it is crucial for system administrators to stay vigilant and regularly check for updates to their software packages, especially those related to security, to protect their environments from potential threats. Implementing regular security audits and using security tools can further enhance the overall security posture of systems running FreeRDP2 and other software
FreeRDP2 security update for Debian 10 ELTS
Updated FreeRDP2 packages are available for Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1483-1 freerdp2 security updateFreeRDP2 security update for Debian 10 ELTS @ Linux Compatible
