Hi,
This update to the v5 LTS branch contains many fixes but none of them
are particularly new or interesting.
There is no urgency to update if you were not affected by these issues.
That said, there is one very important exception: the MacOS and MS
Windows builds have been updated to use the latest libvpx and libwebp
versions to fix a pair of 0-day CVEs.
These vulnerabilities are trivial to exploit remotely since the xpra
client is designed to receive webp and vp8 / vp9 screen updates.
One mitigating factor compared to browsers is that one would need to
connect to a compromised system or have traffic injected into an
unsecured connection.
All previous MacOS and MS Windows builds ever released are affected by
this issue and should no longer be used.
Another way of protecting client systems from this vulnerability would
be to specify the list of encodings and remove the problematic ones -
this is not a recommended solution.
For servers, it is slightly easier as the `webcam` and `clipboard` are
the only vulnerable subsystems and they can easily be disabled - but
Linux servers should be receiving system updates from their regular
channels anyway.
https://github.com/Xpra-org/xpra/releases/tag/v5.0.3
Downloads:
https://github.com/Xpra-org/xpra/wiki/Download
Cheers,
Antoine
_______________________________________________
shifter-users mailing list
shifter-users@lists.devloop.org.uk
https://lists.devloop.org.uk/mailman/listinfo/shifter-users
