| Description: | Summary:
The remote host is missing an update for the Debian 'libvncserver' package(s) announced via the DLA-2264-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in libVNC (libvncserver Debian package), an implemenantation of the VNC server and client protocol.
CVE-2019-20839
libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket filename.
CVE-2020-14397
libvncserver/rfbregion.c had a NULL pointer dereference.
CVE-2020-14399
Byte-aligned data was accessed through uint32_t pointers in libvncclient/rfbproto.c.
CVE-2020-14400
Byte-aligned data was accessed through uint16_t pointers in libvncserver/translate.c.
CVE-2020-14401
libvncserver/scale.c had a pixel_value integer overflow.
CVE-2020-14402
libvncserver/corre.c allowed out-of-bounds access via encodings.
CVE-2020-14403
libvncserver/hextile.c allowed out-of-bounds access via encodings.
CVE-2020-14404
libvncserver/rre.c allowed out-of-bounds access via encodings.
CVE-2020-14405
libvncclient/rfbproto.c does not limit TextChat size.
For Debian 8 Jessie, these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u8.
We recommend that you upgrade your libvncserver packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'libvncserver' package(s) on Debian 8.
Solution:
Please install the updated package(s).
CVSS Score:
6.4
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:P
|
