Re: EOL guacamole-client in Stretch
On 31/01/2022 22:29, Markus Koschany wrote:
I believe we should mark guacamole-client as end-of-life in Stretch but I would
like to hear your opinion too. Guacamole in Stretch is a five year old web
application with four open CVE. Upstream recommends to upgrade to the latest
1.4.0 release and does not provide further details about specific patches. I
have checked the debdiff between 1.3.0 and 1.4.0 and it contains several files
which could be related to CVE-2021-41767 for example. Since guacamole-client is
also not a very popular package and not part of Buster or Bullseye, I suggest
to mark it EOL. Comments?
I would be warry of popcon for this kind of server package, since
there's one instance for potentially a lot of (web) users.
That being said, given all your other arguments above, it sounds like
maintaining orphaned guacamole-client in stretch-only is not a
particularly effective use of the sponsors' money.