Bug#859136: guacamole-client: CVE-2020-9497 and CVE-2020-9498
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 10 18:50:32 BST 2020
Hi,
On Sat, Oct 10, 2020 at 02:51:40PM +0200, Markus Koschany wrote:
> Then I also looked into CVE-2016-1566. It appears to me the current
> version in stretch and unstable has already been fixed.
>
> If
>
> https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
>
> is the fixing commit, then it is already included in version 0.9.9+dfsg-1
Prompted by your question I double-checked this. In fact the versions
released in Debian never contained the vulnerability, so marked it as
such, thanks for the note.
Reason: the earlier version did not contain the code, and the next one
uploaded to unstable was 0.9.9+dfsg-1 which contained the fully fixed
javascript code. Upstream's versions are useless here as they seem to
have released twice 0.9.9 (once broken and once fixed).
Regards,
Salvatore
More information about the pkg-remote-team
mailing list