From totaam at xpra.org  Thu Dec 12 09:38:18 2024
From: totaam at xpra.org (Antoine Martin)
Date: Thu, 12 Dec 2024 16:38:18 +0700
Subject: [winswitch] [ANNOUNCE] Xpra 6.2.2
Message-ID: <255f975c-8b76-4809-9026-99ceba9c3559@xpra.org>

Hi,

This minor update to the v6.2.x branch contains some security fixes, 
please update.

The first security issue affects how authentication options are parsed.
Sockets defined using the newer `--bind-XXXX=host:port,auth=module` 
syntax would not apply the authentication module to connections upgraded 
to use SSL.
A possible workaround is to add `--ssl-auth=module`, or use `--bind-wss` 
/ `--bind-ssl=..` only.

The second issue is an overflow of the picture buffers when handling 
YUV-to-RGB format conversions for non-OpenGL windows.
A hostile server could potentially write user-controlled data beyond the 
end of the malloced buffer.

The self-contained SBOM script was also added to this branch, so all the 
MS Windows builds now include a complete SBOM file.

For more details, please see:
https://github.com/Xpra-org/xpra/releases/tag/v6.2.2

Downloads:
https://github.com/Xpra-org/xpra/wiki/Download

Cheers,
Antoine