Please ensure that you are using a supported version.

Distribution packages are usually outdated and full of vulnerabilities.

For a general overview, please first read security considerations as it pervades the architecture of the software.

We understand and accept that some researchers prefer full-disclosure, but we would prefer to have a heads up prior to the release of the vulnerability details.

Critical bugs are usually fixed (if reproducible) within hours, rather than days or weeks. Though making a new release does take a little bit longer. Even more so for vulnerabilities.

Please contact security@xpra.org.

You can encrypt all communications with the following GPG key: 66EA1EA1A1323924 for xpra@xpra.org, the primary key fingerprint: B499 3B57 3231 48E3 7977 E5D8 7325 4CAD 1797 8FAF is the same as the one used for signing packages.

To receive email notifications of pending security issues in any of the xpra projects, please send a request to security@xpra.org

• CVE-2021-40839 rencode issue affected all MS Windows and MacOS binary packages produced before the fix

Some vulnerabilities are reported, sometimes automatically, but cannot be exploited because the code is not actually used:

• braces" v3.0.2 / "micromatch" v4.0.5 vulnerabilities