[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels

[Mike Jumper <mjumper () apache org>]

CVE-2020-9497: Improper input validation of RDP static virtual channels

Versions affected:
Apache Guacamole 1.1.0 and earlier

Description:
Apache Guacamole 1.1.0 and older do not properly validate data
received from RDP servers via static virtual channels. If a user
connects to a malicious or compromised RDP server, specially-crafted
PDUs could result in disclosure of information within the memory of
the guacd process handling the connection.

Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.

Credit:
We would like to thank the GitHub Security Lab and Eyal Itkin (Check
Point Research) for reporting this issue.