Please ensure that you are using a supported version.

Distribution packages are usually outdated and full of vulnerabilities.

For a general overview, please first read security considerations as it pervades the architecture of the software.

We understand and accept that some researchers prefer full-disclosure, but we would prefer to have a heads up prior to the release of the vulnerability details.

Critical bugs are usually fixed (if reproducible) within hours, rather than days or weeks. Though making a new release does take a little bit longer. Even more so for vulnerabilities.

Please contact security@xpra.org

To receive email notifications of pending security issues in any of the xpra projects, please send a request to security@xpra.org

• CVE-2021-40839 rencode issue affected all MS Windows and MacOS binary packages produced before the fix

Some vulnerabilities are reported, sometimes automatically, but cannot be exploited because the code is not actually used:

• braces" v3.0.2 / "micromatch" v4.0.5 vulnerabilities