Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1652-1 libvncserver

Debian Security Advisory

DLA-1652-1 libvncserver -- LTS security update

Date Reported:

31 Jan 2019

Affected Packages:

libvncserver

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-15126, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750.

More information:

A vulnerability was found by Kaspersky Lab in libvncserver, a C library to implement VNC server/client functionalities. In addition, some of the vulnerabilities addressed in DLA 1617-1 were found to have incomplete fixes, and have been addressed in this update.

• CVE-2018-15126

  An attacker can cause denial of service or remote code execution via a heap use-after-free issue in the tightvnc-filetransfer extension.

• CVE-2018-20748 / CVE-2018-20749 / CVE-2018-20750

  Some of the out of bound heap write fixes for CVE-2018-20019 and CVE-2018-15127 were incomplete. These CVEs address those issues.

For Debian 8 Jessie, these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u5.

We recommend that you upgrade your libvncserver packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS