SUSE-SU-2023:4611-1: moderate: Security update for freerdp
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Wed Nov 29 16:30:12 UTC 2023
# Security update for freerdp
Announcement ID: SUSE-SU-2023:4611-1
Rating: moderate
References:
* bsc#1214856
* bsc#1214857
* bsc#1214858
* bsc#1214859
* bsc#1214860
* bsc#1214862
* bsc#1214863
* bsc#1214864
* bsc#1214866
* bsc#1214867
* bsc#1214868
* bsc#1214869
* bsc#1214870
* bsc#1214871
* bsc#1214872
Cross-References:
* CVE-2023-39350
* CVE-2023-39351
* CVE-2023-39352
* CVE-2023-39353
* CVE-2023-39354
* CVE-2023-39356
* CVE-2023-40181
* CVE-2023-40186
* CVE-2023-40188
* CVE-2023-40567
* CVE-2023-40569
* CVE-2023-40574
* CVE-2023-40575
* CVE-2023-40576
* CVE-2023-40589
CVSS scores:
* CVE-2023-39350 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-39350 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-39351 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39351 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39352 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39352 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39353 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39353 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39354 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-39354 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-39356 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-39356 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40181 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40186 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40186 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40188 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40188 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40567 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40567 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40569 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40569 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40574 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40574 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-40575 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40575 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40576 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40576 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-40589 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2023-40589 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Affected Products:
* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
* SUSE Linux Enterprise Software Development Kit 12 SP5
* SUSE Linux Enterprise Workstation Extension 12 12-SP5
An update that solves 15 vulnerabilities can now be installed.
## Description:
This update for freerdp fixes the following issues:
* CVE-2023-39350: Fixed incorrect offset calculation leading to DoS
(bsc#1214856).
* CVE-2023-39351: Fixed Null Pointer Dereference leading DoS in RemoteFX
(bsc#1214857).
* CVE-2023-39352: Fixed Invalid offset validation leading to Out Of Bound
Write (bsc#1214858).
* CVE-2023-39353: Fixed Missing offset validation leading to Out Of Bound Read
(bsc#1214859).
* CVE-2023-39354: Fixed Out-Of-Bounds Read in nsc_rle_decompress_data
(bsc#1214860).
* CVE-2023-39356: Fixed Missing offset validation leading to Out-of-Bounds
Read in gdi_multi_opaque_rect (bsc#1214862).
* CVE-2023-40181: Fixed Integer-Underflow leading to Out-Of-Bound Read in
zgfx_decompress_segment (bsc#1214863).
* CVE-2023-40186: Fixed IntegerOverflow leading to Out-Of-Bound Write
Vulnerability in gdi_CreateSurface (bsc#1214864).
* CVE-2023-40188: Fixed Out-Of-Bounds Read in general_LumaToYUV444
(bsc#1214866).
* CVE-2023-40567: Fixed Out-Of-Bounds Write in clear_decompress_bands_data
(bsc#1214867).
* CVE-2023-40569: Fixed Out-Of-Bounds Write in progressive_decompress
(bsc#1214868).
* CVE-2023-40574: Fixed Out-Of-Bounds Write in
general_YUV444ToRGB_8u_P3AC4R_BGRX (bsc#1214869).
* CVE-2023-40575: Fixed Out-Of-Bounds Read in
general_YUV444ToRGB_8u_P3AC4R_BGRX (bsc#1214870).
* CVE-2023-40576: Fixed Out-Of-Bounds Read in RleDecompress (bsc#1214871).
* CVE-2023-40589: Fixed Global-Buffer-Overflow in ncrush_decompress
(bsc#1214872).
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4611=1
* SUSE Linux Enterprise Workstation Extension 12 12-SP5
zypper in -t patch SUSE-SLE-WE-12-SP5-2023-4611=1
## Package List:
* SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x
x86_64)
* libfreerdp2-debuginfo-2.1.2-12.38.1
* freerdp-debuginfo-2.1.2-12.38.1
* libfreerdp2-2.1.2-12.38.1
* freerdp-debugsource-2.1.2-12.38.1
* libwinpr2-2.1.2-12.38.1
* winpr2-devel-2.1.2-12.38.1
* freerdp-devel-2.1.2-12.38.1
* libwinpr2-debuginfo-2.1.2-12.38.1
* SUSE Linux Enterprise Workstation Extension 12 12-SP5 (x86_64)
* freerdp-debuginfo-2.1.2-12.38.1
* libfreerdp2-debuginfo-2.1.2-12.38.1
* libfreerdp2-2.1.2-12.38.1
* freerdp-server-2.1.2-12.38.1
* freerdp-debugsource-2.1.2-12.38.1
* freerdp-proxy-2.1.2-12.38.1
* libwinpr2-2.1.2-12.38.1
* freerdp-2.1.2-12.38.1
* libwinpr2-debuginfo-2.1.2-12.38.1
## References:
* https://www.suse.com/security/cve/CVE-2023-39350.html
* https://www.suse.com/security/cve/CVE-2023-39351.html
* https://www.suse.com/security/cve/CVE-2023-39352.html
* https://www.suse.com/security/cve/CVE-2023-39353.html
* https://www.suse.com/security/cve/CVE-2023-39354.html
* https://www.suse.com/security/cve/CVE-2023-39356.html
* https://www.suse.com/security/cve/CVE-2023-40181.html
* https://www.suse.com/security/cve/CVE-2023-40186.html
* https://www.suse.com/security/cve/CVE-2023-40188.html
* https://www.suse.com/security/cve/CVE-2023-40567.html
* https://www.suse.com/security/cve/CVE-2023-40569.html
* https://www.suse.com/security/cve/CVE-2023-40574.html
* https://www.suse.com/security/cve/CVE-2023-40575.html
* https://www.suse.com/security/cve/CVE-2023-40576.html
* https://www.suse.com/security/cve/CVE-2023-40589.html
* https://bugzilla.suse.com/show_bug.cgi?id=1214856
* https://bugzilla.suse.com/show_bug.cgi?id=1214857
* https://bugzilla.suse.com/show_bug.cgi?id=1214858
* https://bugzilla.suse.com/show_bug.cgi?id=1214859
* https://bugzilla.suse.com/show_bug.cgi?id=1214860
* https://bugzilla.suse.com/show_bug.cgi?id=1214862
* https://bugzilla.suse.com/show_bug.cgi?id=1214863
* https://bugzilla.suse.com/show_bug.cgi?id=1214864
* https://bugzilla.suse.com/show_bug.cgi?id=1214866
* https://bugzilla.suse.com/show_bug.cgi?id=1214867
* https://bugzilla.suse.com/show_bug.cgi?id=1214868
* https://bugzilla.suse.com/show_bug.cgi?id=1214869
* https://bugzilla.suse.com/show_bug.cgi?id=1214870
* https://bugzilla.suse.com/show_bug.cgi?id=1214871
* https://bugzilla.suse.com/show_bug.cgi?id=1214872
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20231129/486035f7/attachment.htm>
More information about the sle-updates
mailing list