I was curious and checked, and here are the fixes for each CVE: CVE Fixed in CVE-2020-11996 9.0.36 CVE-2020-13934 9.0.37 CVE-2020-13935 9.0.37 CVE-2020-13943 9.0.38 CVE-2020-17527 9.0.40 CVE-2021-24122 9.0.40 CVE-2021-25122 9.0.43 CVE-2021-25329 9.0.43 CVE-2021-30640 9.0.46 CVE-2021-33037 9.0.48 CVE-2020-9484 9.0.58 CVE-2021-43980 9.0.62 CVE-2022-29885 9.0.63 CVE-2022-34305 9.0.65 CVE-2022-42252 9.0.68
So the any version equal or above 9.0.68 contains all the required fixes. By the way, Tomcat has a security page for that: https://tomcat.apache.org/security-9.html CheersAntoine Le mardi 31 janvier 2023 à 22:56:52 UTC+1, Nick Couchman <vn...@apache.org> a écrit : On Tue, Jan 31, 2023 at 4:34 PM Sean Hulbert <shulb...@securitycentric.net.invalid> wrote: > > Hello, > > > > Are there any special requirements for Guacamole 1.4.0 to update Tomcat > 9.0.31 to Tomcat 10 or reasons not to do this? > Yes, Tomcat 10 makes some servlet API changes that require code changes to Guacamole. It's documented, here: https://issues.apache.org/jira/browse/GUACAMOLE-1325 > To resolve the CVE below, and are there any procedural steps documented? WIthout looking at each individual CVE you mentioned, I would say that most, if not all, are probably also fixed in a version of Tomcat 9.0, which will still work with Guacamole. For example, CVE-2021-43980 only impacts 9.0.47 to 9.0.60, and is fixed in current 9.0 releases. I would venture a guess that many/most/all of the rest are the same. So, updating to the latest version of Tomcat 9.x should be a perfectly acceptable procedural step. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
