Hi, The star of this release isĀ - unfortunately - a denial-of-service vulnerability in the rencode packet decoder: https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75 The assignment of a CVE is still pending, but it only takes 11 bytes to completely disable a server listening on a public socket.
The xpra.org repositories include patched RPMs, Debian users will need to wait for a security update from their maintainers. The MacOS and MS Windows builds will include the fixed version from now on, but all previous builds are vulnerable. (the dangers of large monolithic builds should be obvious) There are things you can do to mitigate this issue: * remove the cython accelerated rencode module - as the plain python implementation does not have this bug. On Posix: rm `python3 -c "from rencode import _rencode;print(_rencode.__file__)"` The performance loss is acceptable. * disable rencode using '--packet-encoders=bencode' This option is not recommended as it may have undesirable side effects. Also, it does not work properly with all xpra versions due to a bug (fixed in 4.2.2) and it may also expose other bugs. A new version of the html5 client will be posted soon after this release, it includes a re-written rencode packet parser - faster and immune to this bug. Apart from that, there are other worthy fixes: two crasher bugs and a bug in the menu loading which could explain some mysterious jumps in server latency that people have been experiencing. The more detailed release notes can be found here: https://github.com/Xpra-org/xpra/releases/tag/v4.2.2 Downloads: https://github.com/Xpra-org/xpra/wiki/Download Cheers Antoine _______________________________________________ shifter-users mailing list shifter-users@lists.devloop.org.uk https://lists.devloop.org.uk/mailman/listinfo/shifter-users
