[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 380-1] libvncserver security update



Package        : libvncserver
Version        : 0.9.7-2+deb6u2


An issue had been discovered and resolved by the libvncserver upstream
developer Karl Runge addressing thread-safety in libvncserver when
libvncserver is used for handling multiple VNC connections [1].

Unfortunately, it is not trivially feasible (because of ABI breakage) to
backport the related patch to libvncserver 0.9.7 as shipped in Debian
squeeze(-lts).

However, the thread-safety patch discussed resolved a related issue of
memory corruption caused by freeing global variables without nullifying
them when reusing them in another "thread", especially occurring when
libvncserver is used for handling multiple VNC connections

The described issue has been resolved with this version of libvncserver
and users of VNC are recommended to upgrade to this version of the
package.

[1] https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc
Description: Digital signature


Reply to: