Debian Security Advisory
DLA-1652-1 libvncserver -- LTS security update
- Date Reported:
- 31 Jan 2019
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-15126, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750.
- More information:
A vulnerability was found by Kaspersky Lab in libvncserver, a C library to implement VNC server/client functionalities. In addition, some of the vulnerabilities addressed in DLA 1617-1 were found to have incomplete fixes, and have been addressed in this update.
An attacker can cause denial of service or remote code execution via a heap use-after-free issue in the tightvnc-filetransfer extension.
- CVE-2018-20748 /
Some of the out of bound heap write fixes for CVE-2018-20019 and CVE-2018-15127 were incomplete. These CVEs address those issues.
For Debian 8
Jessie, these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u5.
We recommend that you upgrade your libvncserver packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS