Bug#969190: buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
several (minor) CVE issues have been resolved in buster's libvncserver:
+ * CVE-2019-20839: libvncclient: bail out if unix socket name would overflow.
+ * CVE-2020-14397: libvncserver: add missing NULL pointer checks.
+ * CVE-2020-14399: libvncclient: fix pointer aliasing/alignment issue.
+ * CVE-2020-14400: libvncserver: fix pointer aliasing/alignment issue.
+ * CVE-2020-14401: libvncserver: scale: cast to 64 bit before shifting.
+ * CVE-2020-14402, CVE-2020-14403, CVE-2020-14404: libvncserver: encodings:
+ prevent OOB accesses.
+ * CVE-2020-14405: libvncclient/rfbproto: limit max textchat size.
The changes have already been dput as +deb10u4. Thanks for reviewing.
Greets,
Mike
-- System Information:
Debian Release: 10.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-10-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: