[SECURITY] [DLA 1652-1] libvncserver security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : libvncserver
Version : 0.9.9+dfsg2-6.1+deb8u5
CVE ID : CVE-2018-15126 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
A vulnerability was found by Kaspersky Lab in libvncserver, a C library
to implement VNC server/client functionalities. In addition, some of the
vulnerabilities addressed in DLA 1617-1 were found to have incomplete
fixes, and have been addressed in this update.
CVE-2018-15126
An attacker can cause denial of service or remote code execution via
a heap use-after-free issue in the tightvnc-filetransfer extension.
CVE-2018-20748
CVE-2018-20749
CVE-2018-20750
Some of the out of bound heap write fixes for CVE-2018-20019 and
CVE-2018-15127 were incomplete. These CVEs address those issues.
For Debian 8 "Jessie", these problems have been fixed in version
0.9.9+dfsg2-6.1+deb8u5.
We recommend that you upgrade your libvncserver packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlxTCM0ACgkQnUbEiOQ2
gwJP1A//Tp4+3c+CrteN1xP+FrgpM+Va9i5hKfD2MroA5BeWltYf5QPVomdJzdAg
ZTV2Q3jz+0bn+FwrDcXhBkAyJo1Axfj2U9fcCaHVs0ncZj/wTs9kYqt7ltqmP01q
JkdKZXbfdMjRB1WsU9zQ6KApUMoTRWvaUmC1UNjWNnAsivBmbv9WEm0o3x0en9nF
3oZUeJrl1BX93PGy1niH6AA3sa5KTca9MgXrefxU/U24bmTshwNs4oAPGZIJIxYJ
B/TB9UGwCf4704aQYJMmf7BanrnZ42dkjmrBcRbHoPuVZ4fPX4dsCrmHUPMRHkj9
fKV3jC/gfTm8n7kYJLyO0M6Bq6rOZr+VAf9nnxsryMDKr4XPIRonI7rkkwanAXNW
qQ3OYkSvusEyU1GHjZh5MKLgw1oSjObqT/Hjd8rcl+O23IZrliZ0PGTU5wRxf8pZ
WJs0Oh8xWT3RsVOVQ1/NpivPfYWa3rYwRKKMHACDkyUdGs0Sk8gqn8ItSaOe2cdi
wBnnTyx5/C4zGetk1jbsPkSl6JNM9oHcVfll7BN3teq5hOrf1CtNZKBQKBhzuwS0
ja9m439cZJE0Su72ehFPdq6iaT+aOnFiCIQthHt1nR5hdZ4cLaj9j6UzFLtM30nS
xIkvfpC0qysCnlJC4uMHDOjms/CpEik4tK5kFSl1VdQ+u91wPOI=
=T7CP
-----END PGP SIGNATURE-----
Reply to: