Bug#859136: guacamole-client: CVE-2020-9497 and CVE-2020-9498

Salvatore Bonaccorso carnil at debian.org
Sat Oct 10 18:50:32 BST 2020


On Sat, Oct 10, 2020 at 02:51:40PM +0200, Markus Koschany wrote:
> Then I also looked into CVE-2016-1566. It appears to me the current
> version in stretch and unstable has already been fixed.
> If
> https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
> is the fixing commit, then it is already included in version 0.9.9+dfsg-1

Prompted by your question I double-checked this. In fact the versions
released in Debian never contained the vulnerability, so marked it as
such, thanks for the note.

Reason: the earlier version did not contain the code, and the next one
uploaded to unstable was 0.9.9+dfsg-1 which contained the fully fixed
javascript code. Upstream's versions are useless here as they seem to
have released twice 0.9.9 (once broken and once fixed).


More information about the pkg-remote-team mailing list