[winswitch] [ANNOUNCE] Xpra LTS 5.0.3

[Antoine Martin]

Hi,

This update to the v5 LTS branch contains many fixes but none of them 
are particularly new or interesting.
There is no urgency to update if you were not affected by these issues.

That said, there is one very important exception: the MacOS and MS 
Windows builds have been updated to use the latest libvpx and libwebp 
versions to fix a pair of 0-day CVEs.
These vulnerabilities are trivial to exploit remotely since the xpra 
client is designed to receive webp and vp8 / vp9 screen updates.
One mitigating factor compared to browsers is that one would need to 
connect to a compromised system or have traffic injected into an 
unsecured connection.
All previous MacOS and MS Windows builds ever released are affected by 
this issue and should no longer be used.
Another way of protecting client systems from this vulnerability would 
be to specify the list of encodings and remove the problematic ones - 
this is not a recommended solution.
For servers, it is slightly easier as the `webcam` and `clipboard` are 
the only vulnerable subsystems and they can easily be disabled - but 
Linux servers should be receiving system updates from their regular 
channels anyway.

https://github.com/Xpra-org/xpra/releases/tag/v5.0.3

Downloads:
https://github.com/Xpra-org/xpra/wiki/Download

Cheers,
Antoine