Debian LTS Advisory ([SECURITY] [DLA 2016-1] ssvnc security update)

The remote host is missing an update for the 'ssvnc' package(s) announced via the DSA-2016-1 advisory.

Several vulnerabilities have been identified in the VNC code of ssvnc, an encryption-capable VNC client.. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver (which also ships the libvncclient shared library). The ssvnc source package in Debian ships a custom-patched, stripped down and outdated variant of libvncclient, thus some of libvncclient's security fixes required porting over. CVE-2018-20020 LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution CVE-2018-20021 LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM CVE-2018-20022 LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20024 LibVNC contained null pointer dereference in VNC client code that could result DoS.

'ssvnc' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 8 'Jessie', these problems have been fixed in version 1.0.29-2+deb8u1. We recommend that you upgrade your ssvnc packages.