Debian LTS Advisory ([SECURITY] [DLA 1652-1] libvncserver security update)

A vulnerability was found by Kaspersky Lab in libvncserver, a C library to implement VNC server/client functionalities. In addition, some of the vulnerabilities addressed in DLA 1617-1 were found to have incomplete fixes, and have been addressed in this update. CVE-2018-15126 An attacker can cause denial of service or remote code execution via a heap use-after-free issue in the tightvnc-filetransfer extension. CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 Some of the out of bound heap write fixes for CVE-2018-20019 and CVE-2018-15127 were incomplete. These CVEs address those issues.

libvncserver on Debian Linux

This check tests the installed software version using the apt package manager.

For Debian 8 'Jessie', these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u5. We recommend that you upgrade your libvncserver packages.