Debian Security Advisory
DLA-380-1 libvncserver -- LTS security update
- Date Reported:
- 04 Jan 2016
- Affected Packages:
- Security database references:
- No other external database security references currently available.
- More information:
An issue had been discovered and resolved by the libvncserver upstream developer Karl Runge addressing thread-safety in libvncserver when libvncserver is used for handling multiple VNC connections .
Unfortunately, it is not trivially feasible (because of ABI breakage) to backport the related patch to libvncserver 0.9.7 as shipped in Debian squeeze(-lts).
However, the thread-safety patch discussed resolved a related issue of memory corruption caused by freeing global variables without nullifying them when reusing them in another
thread, especially occurring when libvncserver is used for handling multiple VNC connections
The described issue has been resolved with this version of libvncserver and users of VNC are recommended to upgrade to this version of the package.