Hi, On Sat, Oct 10, 2020 at 06:28:39PM +0200, Markus Koschany wrote: > I somehow missed the guacamole-server package in Debian.
Right, I reassigned earlier today then the bug to guacamole-server and adjusted the tracking in the security-tracker. Thanks for investigating. > Currently I > believe it is possible to backport the patch from 1.2.0 to 0.9.9. > However there is still the problem with freerdp2 (#888321), most likely > a new upstream version for unstable/testing is required anyway. I cannot judge here at the moment, in any case it should be outweight if it wise to backport the fix vs. potential breakage. For unstable I agree new upstream versions are probably the best option. Regards, Salvatore