openSUSE-SU-2026:20339-1

Описание

This update for freerdp fixes the following issues:

Update to version 3.22.0 (jsc#PED-15526):

• Major bugfix release:

  • Complete overhaul of SDL client
  • Introduction of new WINPR_ATTR_NODISCARD macro wrapping compiler or C language version specific [[nodiscard]] attributes
  • Addition of WINPR_ATTR_NODISCARD to (some) public API functions so usage errors are producing warnings now
  • Add some more stringify functions for logging
  • We've received CVE reports, check https://github.com/FreeRDP/FreeRDP/security/advisories for more details! @Keryer reported an issue affecting client and proxy:
    • CVE-2026-23948 @ehdgks0627 did some more fuzzying and found quite a number of client side bugs.
    • CVE-2026-24682
    • CVE-2026-24683
    • CVE-2026-24676
    • CVE-2026-24677
    • CVE-2026-24678
    • CVE-2026-24684
    • CVE-2026-24679
    • CVE-2026-24681
    • CVE-2026-24675
    • CVE-2026-24491
    • CVE-2026-24680

• Changes from version 3.21.0

  • [core,info] fix missing NULL check (#12157)
  • [gateway,tsg] fix TSG_PACKET_RESPONSE parsing (#12161)
  • Allow querying auth identity with kerberos when running as a server (#12162)
  • Sspi krb heimdal (#12163)
  • Tsg fix idleTimeout parsing (#12167)
  • [channels,smartcard] revert 649f7de (#12166)
  • [crypto] deprecate er and der modules (#12170)
  • [channels,rdpei] lock full update, not only parts (#12175)
  • [winpr,platform] add WINPR_ATTR_NODISCARD macro (#12178)
  • Wlog cleanup (#12179)
  • new stringify functions & touch API defines (#12180)
  • Add support for querying SECPKG_ATTR_PACKAGE_INFO to NTLM and Kerberos (#12171)
  • [channels,video] measure times in ns (#12184)
  • [utils] Nodiscard (#12187)
  • Error handling fixes (#12186)
  • [channels,drdynvc] check pointer before reset (#12189)
  • Winpr api def (#12190)
  • [winpr,platform] drop C23 [[nodiscard]] (#12192)
  • [gdi] add additional checks for a valid rdpGdi (#12194)
  • Sdl3 high dpiv2 (#12173)
  • peer: Disconnect if Logon() returned FALSE (#12196)
  • [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing (#12197)
  • [channel,rdpsnd] only clean up thread before free (#12199)
  • [channels,rdpei] add RDPINPUT_CONTACT_FLAG_UP (#12195)

• Update to version 3.21.0:

  • Bugfix release with a few new API functions addressing shortcomings with regard to input data validation. Thanks to @ehdgks0627 we have fixed the following additional (medium) client side vulnerabilities:

    • CVE-2026-23530
    • CVE-2026-23531
    • CVE-2026-23532
    • CVE-2026-23533
    • CVE-2026-23534
    • CVE-2026-23732
    • CVE-2026-23883
    • CVE-2026-23884

• Changes from version 3.20.2

  • [client,sdl] fix monitor resolution (#12142)
  • [codec,progressive] fix progressive_rfx_upgrade_block (#12143)
  • Krb cache fix (#12145)
  • Rdpdr improved checks (#12141)
  • Codec advanced length checks (#12146)
  • Glyph fix length checks (#12151)
  • Wlog printf format string checks (#12150)
  • [warnings,format] fix format string warnings (#12152)
  • Double free fixes (#12153)
  • [clang-tidy] clean up code warnings (#12154)

• Update to version 3.20.2:

  • Patch release fixing a regression with gateway connections introduced with 3.20.1

    What's Changed

    • Warnings and missing enumeration types (#12137)

• Changes from version 3.20.1:

  • New years cleanup release. Fixes some issues reported and does a cleaning sweep to bring down warnings. Thanks to @ehdgks0627 doing some code review/testing we've uncovered the following (medium) vulnerabilities:

    • CVE-2026-22851
    • CVE-2026-22852
    • CVE-2026-22853
    • CVE-2026-22854
    • CVE-2026-22855
    • CVE-2026-22856
    • CVE-2026-22857
    • CVE-2026-22858
    • CVE-2026-22859

  • These affect FreeRDP based clients only, with the exception of CVE-2026-22858 also affecting FreeRDP proxy. FreeRDP based servers are not affected.

• Update to version 3.20.0:

  • Mingw fixes (#12070)
  • [crypto,certificate_data] add some hostname sanitation
  • [client,common]: Fix loading of rdpsnd channel
  • [client,sdl] set touch and pen hints

• Changes from version 3.19.1:

  • [core,transport] improve SSL error logging
  • [utils,helpers] fix freerdp_settings_get_legacy_config_path
  • From stdin and sdl-creds improve
  • [crypto,certificate] sanitize hostnames
  • [channels,drdynvc] propagate error in dynamic channel
  • [CMake] make Mbed-TLS and LibreSSL experimental
  • Json fix
  • rdpecam: send sample only if it's available
  • [channels,rdpecam] allow MJPEG frame skip and direct passthrough
  • [winpr,utils] explicit NULL checks in jansson WINPR_JSON_ParseWithLength

• Changes from version 3.19.0:

  • [client,common] fix retry counter
  • [cmake] fix aarch64 neon detection
  • Fix response body existence check when using RDP Gateway
  • fix line clipping issue
  • Clip coord fix
  • [core,input] Add debug log to keyboard state sync
  • Update command line usage for gateway option
  • [codec,ffmpeg] 8.0 dropped AV_PROFILE_AAC_MAIN
  • [channels,audin] fix pulse memory leak
  • [channels,drive] Small performance improvements in drive channel
  • [winpr,utils] fix command line error logging
  • [common,test] Adjust AVC and H264 expectations
  • drdynvc: implement compressed packet
  • [channels,rdpecam] improve log messages
  • Fix remote credential guard channel loading
  • Fix inverted ifdef
  • [core,nego] disable all enabled modes except the one requested
  • rdpear: handle basic NTLM commands and fix server-side
  • [smartcardlogon] Fix off-by-one error in smartcard_hw_enumerateCerts
  • rdpecam: fix camera sample grabbing

• Update to version 3.18.0:

  • Fix a regression reading passwords from stdin
  • Fix a timer regression (µs instead of ms)
  • Improved multitouch support
  • Fix a bug with PLANAR codec (used with /bpp:32 or sometimes with /gfx)
  • Better error handling for ARM transport (Entra)
  • Fix audio encoder lag (microphone/AAC) with FFMPEG
  • Support for janssen JSON library

• Update to version 3.17.2:

  • Minor improvements and bugfix release.
  • Most notably resource usage (file handles) has been greatly reduced and static build pkg-config have been fixed. For users of xfreerdp RAILS/RemoteApp mode the switch to DesktopSession mode has been fixed (working UAC screen)

• Changes from version 3.17.1

  • Minor improvements and bugfix release.
    • most notably a memory leak was addressed
    • fixed header files missing C++ guards
    • xfreerdp as well as the SDL clients now support a system wide configuration file
    • Heimdal kerberos support was improved
    • builds with [MS-RDPEAR] now properly abort at configure if Heimdal is used (this configuration was never supported, so ensure nobody compiles it that way)

• Enable openh264 support, we can build against the noopenh264 stub

• Update to 3.17.0:

  • [client,sdl2] fix build with webview (#11685)
  • [core,nla] use wcslen for password length (#11687)
  • Clear channel error prior to call channel init event proc (#11688)
  • Warn args (#11689)
  • [client,common] fix -mouse-motion (#11690)
  • [core,proxy] fix IPv4 and IPv6 length (#11692)
  • Regression fix2 (#11696)
  • Log fixes (#11693)
  • [common,settings] fix int casts (#11699)
  • [core,connection] fix log level of several messages (#11697)
  • [client,sdl] print current video driver (#11701)
  • [crypto,tls] print big warning for /cert:ignore (#11704)
  • [client,desktop] fix StartupWMClass setting (#11708)
  • [cmake] unify version creation (#11711)
  • [common,settings] force reallocation on caps copy (#11715)
  • [manpages] Add example of keyboard remapping (#11718)
  • Some fixes in Negotiate and NLA (#11722)
  • [client,x11] fix clipboard issues (#11724)
  • kerberos: do various tries for TGT retrieval in u2u (#11723)
  • Cmdline escape strings (#11735)
  • [winpr,utils] do not log command line arguments (#11736)
  • [api,doc] Add stylesheed for doxygen (#11738)
  • [core,proxy] fix BIO read methods (#11739)
  • [client,common] fix sso_mib_get_access_token return value in error case (#11741)
  • [crypto,tls] do not use context->settings->instance (#11749)
  • winpr: re-introduce the credentials module (#11734)
  • [winpr,timezone] ensure thread-safe initialization (#11754)
  • core/redirection: Ensure stream has enough space for the certificate (#11762)
  • [client,common] do not log success (#11766)
  • Clean up bugs exposed on systems with high core counts (#11761)
  • [cmake] add installWithRPATH (#11747)
  • [clang-tidy] fix various warnings (#11769)
  • Wlog improve type checks (#11774)
  • [client,common] fix tenantid command line parsing (#11779)
  • Proxy module static and shared linking support (#11768)
  • LoadLibrary Null fix (#11786)
  • [client,common] add freerdp_client_populate_settings_from_rdp_file_un… (#11780)
  • Fullchain support (#11787)
  • [client,x11] ignore floatbar events (#11771)
  • [winpr,credentials] prefer utf-8 over utf-16-LE #11790
  • [proxy,modules] ignore bitmap-filter skip remaining #11789

• Update to 3.16.0:

  • Lots of improvements for the SDL3 client
  • Various X11 client improvements
  • Add a timer implementation
  • Various AAD/Azure/Entra improvements
  • YUV420 primitives fixes

• Update to 3.15.0:

  • [client,sdl] fix crash on suppress output
  • [channels,remdesk] fix possible memory leak
  • [client,x11] map exit code success
  • Hidef rail checks and deprecation fixe
  • Standard rdp security network issues
  • [core,rdp] fix check for SEC_FLAGSHI_VALID
  • [core,caps] fix rdp_apply_order_capability_set
  • [core,proxy] align no_proxy to curl
  • [core,gateway] fix string reading for TSG
  • [client,sdl] refactor display update

• Update to version 3.14.0:

  • Bugfix and cleanup release. Due to some new API functions the minor version has been increased.

• Changes from version 3.13.0:

  • Friends of old hardware rejoice, serial port redirection got an update (not kidding you)
  • Android builds have been updated to be usable again
  • Mingw builds now periodically do a shared and static build
  • Fixed some bugs and regressions along the way and improved test coverage as well

• Changes from version 3.12.0:

  • Multimonitor backward compatibility fixes
  • Smartcard compatibility
  • Improve the [MS-RDPECAM] support
  • Improve smartcard redirection support
  • Refactor SSE optimizations: Split headers, unify load/store, require SSE3 for all optimized functions
  • Refactors the CMake build to better support configuration based builders
  • Fix a few regressions from last release (USB redirection and graphical glitches)

• Changes from version 3.11.0:

  • A new release with bugfixes and code cleanups as well as a few nifty little features

• CVE-2024-22211: In affected versions an integer overflow in freerdp_bitmap_planar_context_reset leads to heap-buffer overflow. (bsc#1219049)

• CVE-2024-32658: Fixedout-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients (bsc#1223353)

• Multiple CVE fixes

  • CVE-2024-32659: Fixed out-of-bounds read if ((nWidth == 0) and (nHeight == 0))(bsc#1223346)
  • CVE-2024-32660: Fixed client crash via invalid huge allocation size (bsc#1223347)
  • CVE-2024-32661: Fixed client NULL pointer dereference (bsc#1223348)

• Multiple CVE fixes:

  • bsc#1223293, CVE-2024-32039

  • bsc#1223294, CVE-2024-32040

  • bsc#1223295, CVE-2024-32041

  • bsc#1223296, CVE-2024-32458

  • bsc#1223297, CVE-2024-32459

  • bsc#1223298, CVE-2024-32460

  • Fix CVE-2023-40574 - bsc#1214869: Out-Of-Bounds Write in general_YUV444ToRGB_8u_P3AC4R_BGRX

  • Fix CVE-2023-40575 - bsc#1214870: Out-Of-Bounds Read in general_YUV444ToRGB_8u_P3AC4R_BGRX

  • Fix CVE-2023-40576 - bsc#1214871: Out-Of-Bounds Read in RleDecompress