Important: freerdp

Issue Overview:

A flaw was found in the FreeRDP client when it fails to validate input data when using gateway connections. This flaw could allow a malicious gateway to send a specially crafted input to a client leading to an out of bounds write in client memory. The highest threat from this flaw is that it could allow arbitrary code to be executed on the target system. (CVE-2021-41159)

A flaw was found in the FreeRDP client where it fails to validate input data when using connections with GDI or SurfaceCommands. This flaw could allow a malicious server sending graphics updates to a client to cause an out of bounds write in client memory using a specially crafted input. The highest threat from this flaw is that it could allow arbitrary code to be executed on the target system. (CVE-2021-41160)

Affected Packages:

freerdp

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freerdp to update your system.

New Packages:

aarch64:  
    freerdp-2.1.1-5.amzn2.aarch64  
    freerdp-libs-2.1.1-5.amzn2.aarch64  
    freerdp-devel-2.1.1-5.amzn2.aarch64  
    libwinpr-2.1.1-5.amzn2.aarch64  
    libwinpr-devel-2.1.1-5.amzn2.aarch64  
    freerdp-debuginfo-2.1.1-5.amzn2.aarch64  
  
i686:  
    freerdp-2.1.1-5.amzn2.i686  
    freerdp-libs-2.1.1-5.amzn2.i686  
    freerdp-devel-2.1.1-5.amzn2.i686  
    libwinpr-2.1.1-5.amzn2.i686  
    libwinpr-devel-2.1.1-5.amzn2.i686  
    freerdp-debuginfo-2.1.1-5.amzn2.i686  
  
src:  
    freerdp-2.1.1-5.amzn2.src  
  
x86_64:  
    freerdp-2.1.1-5.amzn2.x86_64  
    freerdp-libs-2.1.1-5.amzn2.x86_64  
    freerdp-devel-2.1.1-5.amzn2.x86_64  
    libwinpr-2.1.1-5.amzn2.x86_64  
    libwinpr-devel-2.1.1-5.amzn2.x86_64  
    freerdp-debuginfo-2.1.1-5.amzn2.x86_64  

Additional References

Red Hat: CVE-2021-41159, CVE-2021-41160

Mitre: CVE-2021-41159, CVE-2021-41160