Hello,
Can this vulnerability be protected by a WAF such as Modseurity? From: Nick Couchman <vn...@apache.org> Sent: Thursday, January 13, 2022 6:33 AM To: user@guacamole.apache.org Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections On Wed, Jan 12, 2022 at 4:28 PM guacatoine <guacamole.to...@placi.de <mailto:guacamole.to...@placi.de> > wrote: Hello, Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org <mailto:mjum...@apache.org> a écrit : > Severity: moderate When running Apache Guacamole 1.3.0, is the only way of addressing CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming for one (or more lower) version(s) of Guacamole? We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch. If you really need to maintain a lower version, you could try to back-port the patch(es) that specifically address the issue to that version, but that's a lot of manual work versus just upgrading to the latest version. -Nick