From: Marius Bakke Subject: Re: bug#27939: FreeRDP CVE-2017-2834 CVE-2017-2835 CVE-2017-2836 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839 Date: Wed, 09 Aug 2017 23:34:27 +0200 >> The alternative is to downgrade to freerdp@1.1, or to disable rdp >> from vinagre. When I first submitted these packages, I ran into >> trouble trying to build freerdp@1.1, but I don't remember exactly >> what the problem was :). > > I doubt many users of Guix use RDP, disabling it in Vinagre until it > supports the new version of FreeRDP sounds reasonable to me. > Otherwise > we're effectively "forking" FreeRDP, just for Vinagre. > > That said, since we have the backported patch already, I'm fine with > either approach. But we should decide soon so Vinagre works again. > :-) > > The patch looks good to my untrained eyes. With some delay... here's a patch to revert freerdp to the tip of upstream branch 1.1 (which includes the CVE fixes, backported by the FreeRDP maintainers), and allow vinagre to build against that. Vinagre is the only Guix package which uses freerdp, so I think it's ok to just have freerdp branch 1.1 for now (1.1 is also the last “stable” branch). If you agree, I'll push this patch, and close this bug. cheers, Thomas