XPost: linux.debian.devel.release   
   From: carnil@debian.org   
      
   Hi,   
      
   On Mon, Feb 09, 2026 at 04:24:06PM +0300, Michael Tokarev wrote:   
   > Package: release.debian.org   
   > Severity: normal   
   > Tags: trixie   
   > X-Debbugs-Cc: freerdp3@packages.debian.org, team@security.debian.org   
   > Control: affects -1 + src:freerdp3   
   > User: release.debian.org@packages.debian.org   
   > Usertags: pu   
   >   
   > [ Reason ]   
   > Initially there were 2 bugfixes for 2 severity-important bugs   
   > from the BTS, plus retoration of freerdp icon display, and I   
   > thought about pushing this release for 13.3.   
   >   
   > However, a large number of security fixes come in.   
   >   
   > So in addition to the above 3 fixes, there are also fixes for 29   
   > security issues, plus a small number of preparational patches, -   
   > all picked up from the upstream git repository.   
   >   
   > The complete debdiff is over 400Kb in size.   
   > I'm sorry for it being so large, but here we go.   
   >   
   > The list of actual security fixes with the links to complete   
   > descriptions are in the changelog, below.   
   >   
   > This update should close all security issues found and later   
   > fixed in forky.   
   >   
   > While picking up upstream fixes, I also picked up a few other   
   > changes in the same areas, so the fixes applies cleanly and   
   > don't require back-porting.  In most such cases, the other   
   > changes are harmless - like improving logging or rearranging   
   > code a tiny bit to be less obscure - like clang-warnings-fix-Wjump-   
   > misses-init-*.patch.  In my opinion, in this case, such extra   
   > changes does not hurt at all, but makes the actual fix to apply   
   > cleanly and avoids extra possible mistakes while back-porting.   
   >   
   > One change, however, is more than that: this is a preparational   
   > patch for CVE-2026-24677, rdpecam-fix-camera-sample-grabbing.patch.   
   > It is a bugfix by its own, so I decided to pick it up too, since   
   > it changes code in this area quite significantly, and back-porting   
   > later fix becomes a real challenge.  This patch should not do any   
   > harm.   
   >   
   > [ Impact ]   
   > This is a really large number of security issues, most of which   
   > is about a malicious RDP server doing bad things.  Even if in   
   > many cases, the RDP server where a user connects to, can be sort   
   > of trusted, it's not a good thing to have bug in this area.   
   >   
   > [ Tests ]   
   > There aren't much testing done for this (huge) release.  I only   
   > verified the main xfreerdp3 client works in basic scenarious -   
   > personally I use this release myself to access several versions   
   > of windows RDP servers, it continues working as expected.   
   >   
   > There's one correction already, on top of CVE-2026-24491, which is   
   > also included in this release, but it was found quite fast, and I   
   > found it missing in my testing of the debian package.   
   >   
   > I haven't checked more advanced functionality though.  Also, I   
   > checked usage of the freerdp-client shared library only briefly   
   > (with Gnome Connections).   
   >   
   > [ Risks ]   
   > The risks with this release is relatively high, due to the large   
   > amount of fixes being back-ported after a large number of other   
   > changes in the code.  So there's a trade-off between risks and   
   > security issues.   
   >   
   > Due to this reason, it would be best if this release will sit in   
   > trixie-proposed-updates for a while.   
   >   
   > [ Checklist ]   
   >   [x] *all* changes are documented in the d/changelog   
   >   [x] I reviewed all changes and I approve them   
   >   [x] attach debdiff against the package in (old)stable   
   >   [x] the issue is verified as fixed in unstable   
   >   
   > [ Changes ]   
   > See the top of debdiff.   
   >   
   > [ Other info ]   
   > Since this release is mostly about security fixes, it might also   
   > be worth considering pushing this through trixie-security.  But   
   > at the same time, due to relatively high risk of breaking something,   
   > it might not be a good idea.  Either way, I'm Cc'ing the Security   
   > Team.   
      
   I think they should be fixed via the next point release, but have an   
   upload ideally accepted early to give it exposure to testers for   
   regressions.   
      
   A minor nitpick: You cannot choose 3.15.0+dfsg-2+deb13u1 as version as   
   3.15.0+dfsg-2.1 is the version which is in stable. So that would be   
   3.15.0+dfsg-2.1+deb13u1 .   
      
   Regards,   
   Salvatore   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)