[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EOL guacamole-client in Stretch


On 31/01/2022 22:29, Markus Koschany wrote:
I believe we should mark guacamole-client as end-of-life in Stretch but I would
like to hear your opinion too. Guacamole in Stretch is a five year old web
application with four open CVE. Upstream recommends to upgrade to the latest
1.4.0 release and does not provide further details about specific patches. I
have checked the debdiff between 1.3.0 and 1.4.0 and it contains several files
which could be related to CVE-2021-41767 for example. Since guacamole-client is
also not a very popular package and not part of Buster or Bullseye, I suggest
to mark it EOL. Comments?

I would be warry of popcon for this kind of server package, since there's one instance for potentially a lot of (web) users.

That being said, given all your other arguments above, it sounds like maintaining orphaned guacamole-client in stretch-only is not a particularly effective use of the sponsors' money.



Reply to: