An important fix for libvncserver has landed in Debian and on the library’s GitHub page.
Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.
As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.
Clients could be attacked either for denial-of-service, or potentially for remote code execution.
The folks at libvncserver pushed out their own patch on December 30 – so if you’re a dev using the library, get it and start patching. It’s the first new libvncserver code release since October 2014.
Debian’s other recent security patches include Tomcat 7 and Tomcat 8 security updates, to close CVE-2016-8745: “incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure”. ®
Customer Identity and Access Management