Hi, I am currently investigating the security vulnerabilities in guacamole-client.
I believe the reported CVE-2020-9497 and CVE-2020-9498 issues only affect the server part of guacamole but this one has not been packaged yet. The security researchers who reported the vulnerabilities have discussed them in detail at https://research.checkpoint.com/2020/apache-guacamole-rce/ The paragraph about the Disclosure Timeline mentions the following commit which appears to fix both issues. (or all four according to checkpoint.com) https://github.com/apache/guacamole-server/commit/a0e11dc81727528224d28466903454e1cb0266bb Please double-check if the findings are correct. At the moment I am inclined to mark the guacamole-client package as not affected by CVE-2020-9497 and CVE-2020-9498. Then I also looked into CVE-2016-1566. It appears to me the current version in stretch and unstable has already been fixed. If https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367 is the fixing commit, then it is already included in version 0.9.9+dfsg-1 The other CVE, CVE-2018-1340 and CVE-2017-3158, are still relevant though. Regards, Markus
signature.asc
Description: OpenPGP digital signature
