freerdp3 (3.22.0+dfsg-3) [PTS] [DDPO]

NEW: VCS has unreleased changes: 3.23.0+dfsg-1 > 3.22.0+dfsg-3

Git: https://salsa.debian.org/debian-remote-team/freerdp3.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: master
Path: debian/changelog
Repo size: 5152768
Browser: https://salsa.debian.org/debian-remote-team/freerdp3
Last scan: 2026-02-25 15:23:31+00
Next scan: 2026-03-03 01:57:00+00

Debian changelog in Git:

freerdp3 (3.23.0+dfsg-1) unstable; urgency=medium

  * new upstream release, with enhancements and more security fixes:
    CVE-2026-25941 Out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
    CVE-2026-25942 Global-buffer-overflow in xf_rail_server_execute_result
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6
    CVE-2026-25952 Heap-use-after-free in xf_SetWindowMinMaxInfo
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqm-cwjg-7w9x
    CVE-2026-25953 Heap-use-after-free in xf_AppUpdateWindowFromSurface
      (freed appWindow)
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3p
    CVE-2026-25954 Heap-use-after-free in xf_rail_server_local_move_size
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cc88-4j37-mw6j
    CVE-2026-25955 Heap-use-after-free in xf_AppUpdateWindowFromSurface
      (stale XImage)
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
    CVE-2026-25959 Heap-use-after-free in xf_cliprdr_provide_data_
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c
    CVE-2026-25997 Heap-use-after-free in xf_clipboard_format_equal
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5j3-m6jf-3jq4
    CVE-2026-26271 Buffer Overread in FreeRDP Icon Processing
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hr4m-ph4g-48j6
      (note: there's apparently some issue linking the CVE# to this advisory)
    CVE-2026-26986 Heap-use-after-free in rail_window_free
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47
    CVE-2026-27015 Smartcard NDR Alignment Padding Triggers Reachable
      WINPR_ASSERT Abort (Client DoS)
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725
    CVE-2026-26955 Heap Out-of-Bounds Write in ClearCodec Surface Command
      Handler via Missing Bounds Validation
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj
    CVE-2026-26965 Heap Out-of-Bounds Write in Planar Bitmap RLE Decompression
      via Destination Offset
      https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h
  * libwinpr3-3.symbols, libfreerdp3-3.symbols,
    libfreerdp-server-proxy3-3.symbols: add newly appeared symbols
  * libfreerdp-shadow3-3.symbols: remove rdtk_* symbols.
    rdtk is now optional and defaults-off because it is unmaintained.
    It weren't used much anyway.  In debian, this library has no reverse
    dependencies outide of freerdp3.  So let's just drop these symbols for now,
    and if a problem occurs, we can fix it later

 -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 25 Feb 2026 17:24:26 +0300

This branch is even with tag debian/3.23.0+dfsg-1