USN-3171-1: LibVNCServer vulnerabilities

Discussion in 'Security' started by Ubuntu Security Notices, Jan 11, 2017.

Thread Status:
This thread is more than 60 days old.
  1. Ubuntu Security Notice USN-3171-1


    11th January, 2017

    libvncserver vulnerabilities


    A security issue affects these releases of Ubuntu and its derivatives:

    • Ubuntu 16.10
    • Ubuntu 16.04 LTS
    • Ubuntu 14.04 LTS
    • Ubuntu 12.04 LTS
    Summary


    Several security issues were fixed in LibVNCServer.

    Software description

    • libvncserver - vnc server library
    Details


    Josef Gajdusek discovered that the LibVNCServer client library incorrectly
    handled certain FrameBufferUpdate messages. If a user were tricked into
    connecting to a malicious server, an attacker could use this issue to cause
    a denial of service, or possibly execute arbitrary code. (CVE-2016-9941,
    CVE-2016-9942)

    Update instructions


    The problem can be corrected by updating your system to the following package version:

    Ubuntu 16.10:
    libvncserver1 0.9.10+dfsg-3ubuntu0.16.10.1
    libvncclient1 0.9.10+dfsg-3ubuntu0.16.10.1
    Ubuntu 16.04 LTS:
    libvncserver1 0.9.10+dfsg-3ubuntu0.16.04.1
    libvncclient1 0.9.10+dfsg-3ubuntu0.16.04.1
    Ubuntu 14.04 LTS:
    libvncserver0 0.9.9+dfsg-1ubuntu1.2
    Ubuntu 12.04 LTS:
    libvncserver0 0.9.8.2-2ubuntu1.2

    To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary changes.

    References


    CVE-2016-9941, CVE-2016-9942

    Continue reading...
     
Thread Status:
This thread is more than 60 days old.

Share This Page