Hi, On 31/01/2022 22:29, Markus Koschany wrote:
I believe we should mark guacamole-client as end-of-life in Stretch but I would like to hear your opinion too. Guacamole in Stretch is a five year old web application with four open CVE. Upstream recommends to upgrade to the latest 1.4.0 release and does not provide further details about specific patches. I have checked the debdiff between 1.3.0 and 1.4.0 and it contains several files which could be related to CVE-2021-41767 for example. Since guacamole-client is also not a very popular package and not part of Buster or Bullseye, I suggest to mark it EOL. Comments?
I would be warry of popcon for this kind of server package, since there's one instance for potentially a lot of (web) users.
That being said, given all your other arguments above, it sounds like maintaining orphaned guacamole-client in stretch-only is not a particularly effective use of the sponsors' money.
+1 Cheers! Sylvain
