freerdp3 (3.24.2+dfsg-1) [PTS] [DDPO]

COMMITS: VCS has seen 4 commits since the debian/3.24.2+dfsg-1 tag

Git: https://salsa.debian.org/debian-remote-team/freerdp3.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: master
Path: debian/changelog
Repo size: 7057408
Browser: https://salsa.debian.org/debian-remote-team/freerdp3
Last scan: 2026-04-16 07:12:04+00
Next scan: 2026-04-22 00:08:00+00

Debian changelog in Git:

freerdp3 (3.24.2+dfsg-1) unstable; urgency=medium

  * new upstream bugfix/security release:
    CVE-2026-33952 DoS via WINPR_ASSERT in rts_read_auth_verifier_no_checks
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93
    CVE-2026-33977 DoS via WINPR_ASSERT in IMA ADPCM audio decoder (dsp.c:331)
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5
    CVE-2026-33995 double free in kerberos_AcceptSecurityContext
      and kerberos_IntitalizeSecurityContextA
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mv25-f4p2-5mxx
    CVE-2026-33984 ClearCodec resize_vbar_entry() Heap OOB Write
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8469-2xcx-frf6
    CVE-2026-33983 Progressive Codec Quant BYTE Underflow - UB + CPU DoS
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gfm-4p52-h478
    CVE-2026-33985 ClearCodec Glyph Cache Count Desync - Heap OOB Read
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x6gr-8p7h-5h85
    CVE-2026-33986 H.264 YUV Buffer Dimension Desync - Heap OOB Write
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97
    CVE-2026-33987 Persistent Cache bmpSize Desync - Heap OOB Write
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc
    CVE-2026-33982 Persistent Cache Allocator Mismatch - Heap OOB Read
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jm9-2925-g4v2

 -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 25 Mar 2026 20:00:40 +0300

This branch is 4 commits ahead of tag debian/3.24.2+dfsg-1

Git log:

commit 0c1deb3a5bc1781dd2c304d3ad52277951948dc9
Author: Sebastien Bacher <seb128@ubuntu.com>
Date:   Wed Mar 25 09:10:05 2026 +0100

    autopkgtest: Depend on freerdp-x11 instead of @
    
    to fix i386 autopkgtests for Ubuntu
    
    LP: #2146295
    
    Gbp-Dch: Full

commit 191ae0ced2cb0fbd8404d22cb9e582f95a7ee42d
Author: Jeremy Bícha <jbicha@ubuntu.com>
Date:   Tue Apr 7 19:46:42 2026 -0400

    Disable sso-mib for Ubuntu
    
    since sso-mib is not in Ubuntu main

commit 9cf91d064fce571cc2597b426fb0efd325495b2a
Author: Luca Boccassi <luca.boccassi@gmail.com>
Date:   Fri Apr 3 01:10:54 2026 +0100

    Enable sso-mib support
    
    sso-mib provides a library to integrate with Microsoft Azure Entra ID
    Conditional Access, via local brokers such as the open source
    Himmelblau, and that freerdp can use when the /aad option is enabled.
    
    Without this library, the /aad flow requires the user to parse the
    command line logs for a URL to open in the browser, then copy the
    URL it gets redirected to from the browser back to the client, then
    click on another URL, then check the journal for the browser's logs
    for the next redirect URL, then paste that into the client. This works
    but the UX is obviously terrible.
    
    The sso-mib library automates all of this via the identity broker.
    If the identity broker is not available then it automatically falls
    back to the previous /aad flow.

commit 1d098382bf28285e0ea39c20f79e55cfe85c8005
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sun Mar 29 13:29:11 2026 +0300

    remove two "fixed" entries from the last changelog - it were fixed by previous version