Hi, On Sat, Oct 10, 2020 at 02:51:40PM +0200, Markus Koschany wrote: > Then I also looked into CVE-2016-1566. It appears to me the current > version in stretch and unstable has already been fixed. > > If > > https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367 > > is the fixing commit, then it is already included in version 0.9.9+dfsg-1
Prompted by your question I double-checked this. In fact the versions released in Debian never contained the vulnerability, so marked it as such, thanks for the note. Reason: the earlier version did not contain the code, and the next one uploaded to unstable was 0.9.9+dfsg-1 which contained the fully fixed javascript code. Upstream's versions are useless here as they seem to have released twice 0.9.9 (once broken and once fixed). Regards, Salvatore
