The server component of Apache Guacamole, a remote desktop gateway,
did not properly validate data received from RDP servers. This could
in information disclosure or even the execution of arbitrary code.
Apache Guacamole does not properly validate data received from RDP
servers via static virtual channels. If a user connects to a
malicious or compromised RDP server, specially-crafted PDUs could
result in disclosure of information within the memory of the guacd
process handling the connection.
Apache Guacamole may mishandle pointers involved in processing data
received via RDP static virtual channels. If a user connects to a
malicious or compromised RDP server, a series of specially-crafted
PDUs could result in memory corruption, possibly allowing arbitrary
code to be executed with the privileges of the running guacd
For Debian 9 stretch, these problems have been fixed in version
We recommend that you upgrade your guacamole-server packages.
For the detailed security status of guacamole-server please refer to
its security tracker page at:
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Debian LTS Advisory DLA-2435-1 [email protected]
https://www.debian.org/lts/security/ Markus Koschany
November 06, 2020 https://wiki.debian.org/LTS
Version : 0.9.9-2+deb9u1