Bug#964195: guacamole-client: CVE-2020-9497 and CVE-2020-9498

Markus Koschany apo at debian.org
Sat Oct 10 13:51:40 BST 2020


I am currently investigating the security vulnerabilities in

I believe the reported CVE-2020-9497 and CVE-2020-9498 issues only
affect the server part of guacamole but this one has not been packaged
yet. The security researchers who reported the vulnerabilities have
discussed them in detail at


The paragraph about the Disclosure Timeline mentions the following
commit which appears to fix both issues. (or all four according to


Please double-check if the findings are correct. At the moment I am
inclined to mark the guacamole-client package as not affected by
CVE-2020-9497 and CVE-2020-9498.

Then I also looked into CVE-2016-1566. It appears to me the current
version in stretch and unstable has already been fixed.



is the fixing commit, then it is already included in version 0.9.9+dfsg-1

The other CVE, CVE-2018-1340 and CVE-2017-3158, are still relevant though.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-remote-team/attachments/20201010/db70ef08/attachment-0001.sig>

More information about the pkg-remote-team mailing list