More like this

Security

VNC server library gets security fix

Debian plugs overflow vuln

An important fix for libvncserver has landed in Debian and on the library's GitHub page.

Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.

As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.

Clients could be attacked either for denial-of-service, or potentially for remote code execution.

The folks at libvncserver pushed out their own patch on December 30 – so if you're a dev using the library, get it and start patching. It's the first new libvncserver code release since October 2014.

Debian's other recent security patches include Tomcat 7 and Tomcat 8 security updates, to close CVE-2016-8745: “incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure”. ®

Biting the hand that feeds IT © 1998–2017