HI all,Currently, we have tons of CVE issues open for FreeRDP (v1.1) regarding jessie+stretch:
https://security-tracker.debian.org/tracker/source-package/freerdp
And the same set of CVEs for FreeRDP v2 for buster and testing/unstable: https://security-tracker.debian.org/tracker/source-package/freerdp2All issues have been esp. filed against FreeRDP v2 and proposed patches are also applicable against FreeRDP v2.
Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable effort. IMHO, we should think about avoiding this.
With the end of jessie LTS and the upcoming of stretch LTS, I'd like to propose the following changes for FreeRDP in old versions of Debian:
* EOL freerdp 1.1 for jessie (E)LTS
-> impacts: jessie ELTS won't have any version of FreeRDP
* consider EOL'ing freerdp 1.1 for stretch LTS
-> impacts: ltsp-client (easy to resolve, it can use freerdp2)
-> impacts: medusa (resolve by dropping freerdp support)
-> impacts: vlc-plugin-access-extra (drop freerdp support)
* CVE-fix freerdp2 in buster
* consider shipping freerdp2 for stretch LTS
(as found in buster / stretch-backports)
-> impacts: remmina (ship buster's / stretch-backports version)
Please send your thoughts and feedback on this!
Thanks+Greets,
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpBnY2A4chPi.pgp
Description: Digitale PGP-Signatur
