Bug#964195: guacamole-client: CVE-2020-9497 and CVE-2020-9498

Salvatore Bonaccorso carnil at debian.org
Sat Oct 10 18:59:05 BST 2020


On Sat, Oct 10, 2020 at 06:28:39PM +0200, Markus Koschany wrote:
> I somehow missed the guacamole-server package in Debian.

Right, I reassigned earlier today then the bug to guacamole-server and
adjusted the tracking in the security-tracker. Thanks for

> Currently I
> believe it is possible to backport the patch from 1.2.0 to 0.9.9.
> However there is still the problem with freerdp2 (#888321), most likely
> a new upstream version for unstable/testing is required anyway.

I cannot judge here at the moment, in any case it should be outweight
if it wise to backport the fix vs. potential breakage. For unstable I
agree new upstream versions are probably the best option.


More information about the pkg-remote-team mailing list