From totaam at xpra.org Thu Oct 5 17:56:45 2023 From: totaam at xpra.org (Antoine Martin) Date: Thu, 5 Oct 2023 23:56:45 +0700 Subject: [winswitch] [ANNOUNCE] Xpra LTS 5.0.3 Message-ID: Hi, This update to the v5 LTS branch contains many fixes but none of them are particularly new or interesting. There is no urgency to update if you were not affected by these issues. That said, there is one very important exception: the MacOS and MS Windows builds have been updated to use the latest libvpx and libwebp versions to fix a pair of 0-day CVEs. These vulnerabilities are trivial to exploit remotely since the xpra client is designed to receive webp and vp8 / vp9 screen updates. One mitigating factor compared to browsers is that one would need to connect to a compromised system or have traffic injected into an unsecured connection. All previous MacOS and MS Windows builds ever released are affected by this issue and should no longer be used. Another way of protecting client systems from this vulnerability would be to specify the list of encodings and remove the problematic ones - this is not a recommended solution. For servers, it is slightly easier as the `webcam` and `clipboard` are the only vulnerable subsystems and they can easily be disabled - but Linux servers should be receiving system updates from their regular channels anyway. https://github.com/Xpra-org/xpra/releases/tag/v5.0.3 Downloads: https://github.com/Xpra-org/xpra/wiki/Download Cheers, Antoine From totaam at xpra.org Mon Oct 16 14:55:20 2023 From: totaam at xpra.org (Antoine Martin) Date: Mon, 16 Oct 2023 20:55:20 +0700 Subject: [winswitch] [ANNOUNCE] xpra-html5 v9.1 Message-ID: <26b431c6-1782-61f1-a1e4-5879ce9305e5@xpra.org> Hi, This release contains a single actual code change, fixing compatibility with v5.x xpra servers which restores the missing start menu. For more details, please see: https://github.com/Xpra-org/xpra-html5/releases/tag/v9.1 Cheers, Antoine