openSUSE-SU-2026:20339-1

This update for freerdp fixes the following issues:

Update to version 3.22.0 (jsc#PED-15526):

• Major bugfix release:

  • Complete overhaul of SDL client
  • Introduction of new WINPRATTRNODISCARD macro wrapping compiler or C language version specific [[nodiscard]] attributes
  • Addition of WINPRATTRNODISCARD to (some) public API functions so usage errors are producing warnings now
  • Add some more stringify functions for logging

  • We've received CVE reports, check https://github.com/FreeRDP/FreeRDP/security/advisories for more details! @Keryer reported an issue affecting client and proxy:

    • CVE-2026-23948 @ehdgks0627 did some more fuzzying and found quite a number of client side bugs.
    • CVE-2026-24682
    • CVE-2026-24683
    • CVE-2026-24676
    • CVE-2026-24677
    • CVE-2026-24678
    • CVE-2026-24684
    • CVE-2026-24679
    • CVE-2026-24681
    • CVE-2026-24675
    • CVE-2026-24491
    • CVE-2026-24680

  • Changes from version 3.21.0

• [core,info] fix missing NULL check (#12157)

• [gateway,tsg] fix TSGPACKETRESPONSE parsing (#12161)
• Allow querying auth identity with kerberos when running as a server (#12162)
• Sspi krb heimdal (#12163)
• Tsg fix idleTimeout parsing (#12167)
• [channels,smartcard] revert 649f7de (#12166)
• [crypto] deprecate er and der modules (#12170)
• [channels,rdpei] lock full update, not only parts (#12175)
• [winpr,platform] add WINPRATTRNODISCARD macro (#12178)
• Wlog cleanup (#12179)
• new stringify functions & touch API defines (#12180)
• Add support for querying SECPKGATTRPACKAGE_INFO to NTLM and Kerberos (#12171)
• [channels,video] measure times in ns (#12184)
• [utils] Nodiscard (#12187)
• Error handling fixes (#12186)
• [channels,drdynvc] check pointer before reset (#12189)
• Winpr api def (#12190)
• [winpr,platform] drop C23 [[nodiscard]] (#12192)
• [gdi] add additional checks for a valid rdpGdi (#12194)
• Sdl3 high dpiv2 (#12173)
• peer: Disconnect if Logon() returned FALSE (#12196)
• [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing (#12197)
• [channel,rdpsnd] only clean up thread before free (#12199)

• [channels,rdpei] add RDPINPUTCONTACTFLAG_UP (#12195)

  • Update to version 3.21.0:

• Bugfix release with a few new API functions addressing shortcomings with regard to input data validation. Thanks to @ehdgks0627 we have fixed the following additional (medium) client side vulnerabilities:

  • CVE-2026-23530
  • CVE-2026-23531
  • CVE-2026-23532
  • CVE-2026-23533
  • CVE-2026-23534
  • CVE-2026-23732
  • CVE-2026-23883

  • CVE-2026-23884

  • Changes from version 3.20.2

• [client,sdl] fix monitor resolution (#12142)

• [codec,progressive] fix progressiverfxupgrade_block (#12143)
• Krb cache fix (#12145)
• Rdpdr improved checks (#12141)
• Codec advanced length checks (#12146)
• Glyph fix length checks (#12151)
• Wlog printf format string checks (#12150)
• [warnings,format] fix format string warnings (#12152)
• Double free fixes (#12153)

• [clang-tidy] clean up code warnings (#12154)

  • Update to version 3.20.2:

• Patch release fixing a regression with gateway connections introduced with 3.20.1

  What's Changed

  • Warnings and missing enumeration types (#12137)

  • Changes from version 3.20.1:

• New years cleanup release. Fixes some issues reported and does a cleaning sweep to bring down warnings. Thanks to @ehdgks0627 doing some code review/testing we've uncovered the following (medium) vulnerabilities:

  • CVE-2026-22851
  • CVE-2026-22852
  • CVE-2026-22853
  • CVE-2026-22854
  • CVE-2026-22855
  • CVE-2026-22856
  • CVE-2026-22857
  • CVE-2026-22858
  • CVE-2026-22859

• These affect FreeRDP based clients only, with the exception of CVE-2026-22858 also affecting FreeRDP proxy. FreeRDP based servers are not affected.

  • Update to version 3.20.0:

• Mingw fixes (#12070)

• [crypto,certificate_data] add some hostname sanitation
• [client,common]: Fix loading of rdpsnd channel

• [client,sdl] set touch and pen hints

  • Changes from version 3.19.1:

• [core,transport] improve SSL error logging

• [utils,helpers] fix freerdpsettingsgetlegacyconfig_path
• From stdin and sdl-creds improve
• [crypto,certificate] sanitize hostnames
• [channels,drdynvc] propagate error in dynamic channel
• [CMake] make Mbed-TLS and LibreSSL experimental
• Json fix
• rdpecam: send sample only if it's available
• [channels,rdpecam] allow MJPEG frame skip and direct passthrough

• [winpr,utils] explicit NULL checks in jansson WINPRJSONParseWithLength

  • Changes from version 3.19.0:

• [client,common] fix retry counter

• [cmake] fix aarch64 neon detection
• Fix response body existence check when using RDP Gateway
• fix line clipping issue
• Clip coord fix
• [core,input] Add debug log to keyboard state sync
• Update command line usage for gateway option
• [codec,ffmpeg] 8.0 dropped AVPROFILEAAC_MAIN
• [channels,audin] fix pulse memory leak
• [channels,drive] Small performance improvements in drive channel
• [winpr,utils] fix command line error logging
• [common,test] Adjust AVC and H264 expectations
• drdynvc: implement compressed packet
• [channels,rdpecam] improve log messages
• Fix remote credential guard channel loading
• Fix inverted ifdef
• [core,nego] disable all enabled modes except the one requested
• rdpear: handle basic NTLM commands and fix server-side
• [smartcardlogon] Fix off-by-one error in smartcard_hw_enumerateCerts

• rdpecam: fix camera sample grabbing

  • Update to version 3.18.0:

• Fix a regression reading passwords from stdin

• Fix a timer regression (µs instead of ms)
• Improved multitouch support
• Fix a bug with PLANAR codec (used with /bpp:32 or sometimes with /gfx)
• Better error handling for ARM transport (Entra)
• Fix audio encoder lag (microphone/AAC) with FFMPEG

• Support for janssen JSON library

  • Update to version 3.17.2:

• Minor improvements and bugfix release.

• Most notably resource usage (file handles) has been greatly reduced and static build pkg-config have been fixed. For users of xfreerdp RAILS/RemoteApp mode the switch to DesktopSession mode has been fixed (working UAC screen)

  • Changes from version 3.17.1

• Minor improvements and bugfix release.

  • most notably a memory leak was addressed
  • fixed header files missing C++ guards
  • xfreerdp as well as the SDL clients now support a system wide configuration file
  • Heimdal kerberos support was improved

  • builds with [MS-RDPEAR] now properly abort at configure if Heimdal is used (this configuration was never supported, so ensure nobody compiles it that way)

  • Enable openh264 support, we can build against the noopenh264 stub

  • Update to 3.17.0:

• [client,sdl2] fix build with webview (#11685)

• [core,nla] use wcslen for password length (#11687)
• Clear channel error prior to call channel init event proc (#11688)
• Warn args (#11689)
• [client,common] fix -mouse-motion (#11690)
• [core,proxy] fix IPv4 and IPv6 length (#11692)
• Regression fix2 (#11696)
• Log fixes (#11693)
• [common,settings] fix int casts (#11699)
• [core,connection] fix log level of several messages (#11697)
• [client,sdl] print current video driver (#11701)
• [crypto,tls] print big warning for /cert:ignore (#11704)
• [client,desktop] fix StartupWMClass setting (#11708)
• [cmake] unify version creation (#11711)
• [common,settings] force reallocation on caps copy (#11715)
• [manpages] Add example of keyboard remapping (#11718)
• Some fixes in Negotiate and NLA (#11722)
• [client,x11] fix clipboard issues (#11724)
• kerberos: do various tries for TGT retrieval in u2u (#11723)
• Cmdline escape strings (#11735)
• [winpr,utils] do not log command line arguments (#11736)
• [api,doc] Add stylesheed for doxygen (#11738)
• [core,proxy] fix BIO read methods (#11739)
• [client,common] fix ssomibgetaccesstoken return value in error case (#11741)
• [crypto,tls] do not use context->settings->instance (#11749)
• winpr: re-introduce the credentials module (#11734)
• [winpr,timezone] ensure thread-safe initialization (#11754)
• core/redirection: Ensure stream has enough space for the certificate (#11762)
• [client,common] do not log success (#11766)
• Clean up bugs exposed on systems with high core counts (#11761)
• [cmake] add installWithRPATH (#11747)
• [clang-tidy] fix various warnings (#11769)
• Wlog improve type checks (#11774)
• [client,common] fix tenantid command line parsing (#11779)
• Proxy module static and shared linking support (#11768)
• LoadLibrary Null fix (#11786)
• [client,common] add freerdpclientpopulatesettingsfromrdpfile_un… (#11780)
• Fullchain support (#11787)
• [client,x11] ignore floatbar events (#11771)
• [winpr,credentials] prefer utf-8 over utf-16-LE #11790

• [proxy,modules] ignore bitmap-filter skip remaining #11789

  • Update to 3.16.0:
• Lots of improvements for the SDL3 client
• Various X11 client improvements
• Add a timer implementation
• Various AAD/Azure/Entra improvements
• YUV420 primitives fixes
  • Update to 3.15.0:
• [client,sdl] fix crash on suppress output
• [channels,remdesk] fix possible memory leak
• [client,x11] map exit code success
• Hidef rail checks and deprecation fixe
• Standard rdp security network issues
• [core,rdp] fix check for SECFLAGSHIVALID
• [core,caps] fix rdpapplyordercapabilityset
• [core,proxy] align no_proxy to curl
• [core,gateway] fix string reading for TSG

• [client,sdl] refactor display update

  • Update to version 3.14.0:

• Bugfix and cleanup release. Due to some new API functions the minor version has been increased.

  • Changes from version 3.13.0:

• Friends of old hardware rejoice, serial port redirection got an update (not kidding you)

• Android builds have been updated to be usable again
• Mingw builds now periodically do a shared and static build

• Fixed some bugs and regressions along the way and improved test coverage as well

  • Changes from version 3.12.0:

• Multimonitor backward compatibility fixes

• Smartcard compatibility
• Improve the [MS-RDPECAM] support
• Improve smartcard redirection support
• Refactor SSE optimizations: Split headers, unify load/store, require SSE3 for all optimized functions
• Refactors the CMake build to better support configuration based builders

• Fix a few regressions from last release (USB redirection and graphical glitches)

  • Changes from version 3.11.0:

• A new release with bugfixes and code cleanups as well as a few nifty little features

  • CVE-2024-22211: In affected versions an integer overflow in freerdp_bitmap_planar_context_reset leads to heap-buffer overflow. (bsc#1219049)

  • CVE-2024-32658: Fixedout-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients (bsc#1223353)

  • Multiple CVE fixes

• CVE-2024-32659: Fixed out-of-bounds read if ((nWidth == 0) and (nHeight == 0))(bsc#1223346)
• CVE-2024-32660: Fixed client crash via invalid huge allocation size (bsc#1223347)

• CVE-2024-32661: Fixed client NULL pointer dereference (bsc#1223348)

  • Multiple CVE fixes:
  • bsc#1223293, CVE-2024-32039
  • bsc#1223294, CVE-2024-32040
  • bsc#1223295, CVE-2024-32041
  • bsc#1223296, CVE-2024-32458
  • bsc#1223297, CVE-2024-32459
  • bsc#1223298, CVE-2024-32460

• Fix CVE-2023-40574 - bsc#1214869: Out-Of-Bounds Write in generalYUV444ToRGB8uP3AC4RBGRX

• Fix CVE-2023-40575 - bsc#1214870: Out-Of-Bounds Read in generalYUV444ToRGB8uP3AC4RBGRX
• Fix CVE-2023-40576 - bsc#1214871: Out-Of-Bounds Read in RleDecompress