VNC server library gets security fix

Debian plugs overflow vuln

An important fix for libvncserver has landed in Debian and on the library's GitHub page.

Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.

As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.

Clients could be attacked either for denial-of-service, or potentially for remote code execution.

The folks at libvncserver pushed out their own patch on December 30 – so if you're a dev using the library, get it and start patching. It's the first new libvncserver code release since October 2014.

Debian's other recent security patches include Tomcat 7 and Tomcat 8 security updates, to close CVE-2016-8745: “incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure”. ®

Biting the hand that feeds IT © 1998–2017