Source: libvncserver Version: 0.9.11+dfsg-1.3 Severity: grave Tags: security upstream Control: found -1 0.9.11+dfsg-1.3~deb9u1
Hi, The following vulnerability was published for libvncserver, severity is choosen to be rather on safe side and issue has not been fully checked/investigated for impact/attack vector. CVE-2019-15681[0]: | LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains | a memory leak (CWE-655) in VNC server code, which allow an attacker to | read stack memory and can be abused for information disclosure. | Combined with another vulnerability, it can be used to leak stack | memory and bypass ASLR. This attack appear to be exploitable via | network connectivity. These vulnerabilities have been fixed in commit | d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-15681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
