[winswitch] [ANNOUNCE] Xpra 4.2.2 - critical fixes, including one CVE

Antoine Martin totaam at xpra.org
Tue Aug 10 08:12:47 BST 2021


Hi,

The star of this release is  - unfortunately - a denial-of-service
vulnerability in the rencode packet decoder:
https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
The assignment of a CVE is still pending, but it only takes 11 bytes to
completely disable a server listening on a public socket.

The xpra.org repositories include patched RPMs, Debian users will need
to wait for a security update from their maintainers.
The MacOS and MS Windows builds will include the fixed version from now
on, but all previous builds are vulnerable.
(the dangers of large monolithic builds should be obvious)

There are things you can do to mitigate this issue:
* remove the cython accelerated rencode module - as the plain python
implementation does not have this bug. On Posix:
rm `python3 -c "from rencode import _rencode;print(_rencode.__file__)"`
The performance loss is acceptable.
* disable rencode using '--packet-encoders=bencode'

This option is not recommended as it may have undesirable side effects.
Also, it does not work properly with all xpra versions due to a bug
(fixed in 4.2.2) and it may also expose other bugs.

A new version of the html5 client will be posted soon after this
release, it includes a re-written rencode packet parser - faster and
immune to this bug.

Apart from that, there are other worthy fixes: two crasher bugs and a
bug in the menu loading which could explain some mysterious jumps in
server latency that people have been experiencing.


The more detailed release notes can be found here:
https://github.com/Xpra-org/xpra/releases/tag/v4.2.2

Downloads:
https://github.com/Xpra-org/xpra/wiki/Download

Cheers
Antoine



More information about the shifter-users mailing list