Bug#964195: guacamole-client: CVE-2020-9497 and CVE-2020-9498
Markus Koschany
apo at debian.org
Sat Oct 10 13:51:40 BST 2020
Hi,
I am currently investigating the security vulnerabilities in
guacamole-client.
I believe the reported CVE-2020-9497 and CVE-2020-9498 issues only
affect the server part of guacamole but this one has not been packaged
yet. The security researchers who reported the vulnerabilities have
discussed them in detail at
https://research.checkpoint.com/2020/apache-guacamole-rce/
The paragraph about the Disclosure Timeline mentions the following
commit which appears to fix both issues. (or all four according to
checkpoint.com)
https://github.com/apache/guacamole-server/commit/a0e11dc81727528224d28466903454e1cb0266bb
Please double-check if the findings are correct. At the moment I am
inclined to mark the guacamole-client package as not affected by
CVE-2020-9497 and CVE-2020-9498.
Then I also looked into CVE-2016-1566. It appears to me the current
version in stretch and unstable has already been fixed.
If
https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
is the fixing commit, then it is already included in version 0.9.9+dfsg-1
The other CVE, CVE-2018-1340 and CVE-2017-3158, are still relevant though.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-remote-team/attachments/20201010/db70ef08/attachment-0001.sig>
More information about the pkg-remote-team
mailing list