[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 380-1] libvncserver security update

Package        : libvncserver
Version        : 0.9.7-2+deb6u2

An issue had been discovered and resolved by the libvncserver upstream
developer Karl Runge addressing thread-safety in libvncserver when
libvncserver is used for handling multiple VNC connections [1].

Unfortunately, it is not trivially feasible (because of ABI breakage) to
backport the related patch to libvncserver 0.9.7 as shipped in Debian

However, the thread-safety patch discussed resolved a related issue of
memory corruption caused by freeing global variables without nullifying
them when reusing them in another "thread", especially occurring when
libvncserver is used for handling multiple VNC connections

The described issue has been resolved with this version of libvncserver
and users of VNC are recommended to upgrade to this version of the

[1] https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6


mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc
Description: Digital signature

Reply to: