[SECURITY] [DLA 777-1] libvncserver security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : libvncserver
Version : 0.9.9+dfsg-1+deb7u2
CVE IDs : CVE-2016-9941, CVE-2016-9942
Debian Bugs : #850007, #850008
It was discovered that there were two vulnerabilities in libvncserver, a
library to create/embed a VNC server:
* CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers
to cause a denial of service via a crafted FramebufferUpdate message
containing a subrectangle outside of the drawing area.
* CVE-2016-9942: Fix a heap-based buffer overflow that allow remote servers
to cause a denial of service via a crafted FramebufferUpdate message with
the "Ultra" type tile such that the LZO decompressed payload exceeds the
size of the tile dimensions.
For Debian 7 "Wheezy", these issues have been fixed in libvncserver version
0.9.9+dfsg-1+deb7u2.
We recommend that you upgrade your libvncserver packages.
Regards,
- --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlhryEoACgkQHpU+J9Qx
Hlge/Q/9FJGmPEThhYq8oxq8Ow+v1NiXn7AwtfR4bHwkn60PT3u7YaH1nJhh42zm
J/kq1wxXygiQwrFuXck95gJRlXbxv5JhhSTt4aAKdn4yg9wpWUVC2phqgUdAAXoj
a+852KfmenvkyUU55tsrQJQ0djjfG6pcVd5DKKvPrj6EJy2Y45A1cqPVFKvtlHty
lB+UJGc2GiPG+N6VWDU7QDB2Q1TZfj4e3kb398/kcXVPBN5WO4mdyIkxrA2q8lDh
L1YSj8LKERe3uSA8gO+4nnUJCZwx6nKgSikM4roD/7o87WOlB5ZVdZbWy9mEOBCy
d6t9ykA+us/slceqQWXVVjFLWLqkUz5w5r0HOs8KcyS/MY3xbVn4bBZhqvBRstHJ
YjF0HtgFeepGLhD2iom+WmxU9dlH4oGyfU7s8gwuzfWKfO1GtVcZ9fBK6kl3H9lC
XDKgRfp2RkX20f3Xf1ijNKRN5fz4jSoFlmLlj28ATuBxmmJcGvqUWd3kN6bl2VgD
9DQ2aZQ3jKK/JtFZ9vuqqYDlxq/7upGC0hlvX5eNPc6mkop2N+w98N9G6rc9cTL6
HfdMK7EvvKhRcYY5Qa2Jr5Za5ImG3tVHbhgivz9DNMINozaej/LT8MFRZmbGJFts
NyO95vc1wN069lokqLNXhS2i0443ZjX19UkrN412FseZp4HHbuk=
=fzqS
-----END PGP SIGNATURE-----
Reply to: