-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : libvncserver Version : 0.9.9+dfsg2-6.1+deb8u5 CVE ID : CVE-2018-15126 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
A vulnerability was found by Kaspersky Lab in libvncserver, a C library to implement VNC server/client functionalities. In addition, some of the vulnerabilities addressed in DLA 1617-1 were found to have incomplete fixes, and have been addressed in this update. CVE-2018-15126 An attacker can cause denial of service or remote code execution via a heap use-after-free issue in the tightvnc-filetransfer extension. CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 Some of the out of bound heap write fixes for CVE-2018-20019 and CVE-2018-15127 were incomplete. These CVEs address those issues. For Debian 8 "Jessie", these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u5. We recommend that you upgrade your libvncserver packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlxTCM0ACgkQnUbEiOQ2 gwJP1A//Tp4+3c+CrteN1xP+FrgpM+Va9i5hKfD2MroA5BeWltYf5QPVomdJzdAg ZTV2Q3jz+0bn+FwrDcXhBkAyJo1Axfj2U9fcCaHVs0ncZj/wTs9kYqt7ltqmP01q JkdKZXbfdMjRB1WsU9zQ6KApUMoTRWvaUmC1UNjWNnAsivBmbv9WEm0o3x0en9nF 3oZUeJrl1BX93PGy1niH6AA3sa5KTca9MgXrefxU/U24bmTshwNs4oAPGZIJIxYJ B/TB9UGwCf4704aQYJMmf7BanrnZ42dkjmrBcRbHoPuVZ4fPX4dsCrmHUPMRHkj9 fKV3jC/gfTm8n7kYJLyO0M6Bq6rOZr+VAf9nnxsryMDKr4XPIRonI7rkkwanAXNW qQ3OYkSvusEyU1GHjZh5MKLgw1oSjObqT/Hjd8rcl+O23IZrliZ0PGTU5wRxf8pZ WJs0Oh8xWT3RsVOVQ1/NpivPfYWa3rYwRKKMHACDkyUdGs0Sk8gqn8ItSaOe2cdi wBnnTyx5/C4zGetk1jbsPkSl6JNM9oHcVfll7BN3teq5hOrf1CtNZKBQKBhzuwS0 ja9m439cZJE0Su72ehFPdq6iaT+aOnFiCIQthHt1nR5hdZ4cLaj9j6UzFLtM30nS xIkvfpC0qysCnlJC4uMHDOjms/CpEik4tK5kFSl1VdQ+u91wPOI= =T7CP -----END PGP SIGNATURE-----