vulnerabilities in libvncserver

Bug #1374043 reported by Jonathan Riddell
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krfb (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

http://www.kde.org/info/security/advisory-20140923-1.txt

krfb 4.14 embeds libvncserver which has had several security issues.

For future versions krfb instead depends on a system-installed
libvncserver, but for 4.14 the bundled version needs to be updated.

Revision history for this message
Jonathan Riddell (jr) wrote :
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krfb - 4:4.13.3-0ubuntu1.1

---------------
krfb (4:4.13.3-0ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: krfb: multiple security issues in libvncserver.
    (LP: #1374043)
    - Add upstream_libvncserver-vulnerabilities.diff
    - http://www.kde.org/info/security/advisory-20140923-1.txt
    - CVE-2014-6053
    - CVE-2014-6054
    - CVE-2014-6055
 -- Jonathan Riddell <email address hidden> Thu, 25 Sep 2014 18:55:56 +0200

Changed in krfb (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Jonathan.

I slightly amended the changelog to reflect the different fixed CVEs and use our consistent style for referencing launchpad bugs:

  * SECURITY UPDATE: krfb: multiple security issues in libvncserver.
    (LP: #1374043)
    - Add upstream_libvncserver-vulnerabilities.diff
    - http://www.kde.org/info/security/advisory-20140923-1.txt
    - CVE-2014-6053
    - CVE-2014-6054
    - CVE-2014-6055

Please use something similar for your Utopic upload. (I built a 4:4.14.0-0ubuntu2.1 in our security ppa for Utopic, but I forgot you can upload to Utopic directly without jumping through the security sponsor process; I can't recall if launchpad will give you trouble if you try to use the same version number I did, but if you get an error message that doesn't make sense, this might be it.)

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krfb - 4:4.14.1-0ubuntu2

---------------
krfb (4:4.14.1-0ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: krfb: multiple security issues in libvncserver.
   - Add upstream_libvncserver-vulnerabilities.diff
   - http://www.kde.org/info/security/advisory-20140923-1.txt
   - CVE-2014-6055
   - LP: #1374043
 -- Jonathan Riddell <email address hidden> Thu, 25 Sep 2014 18:46:58 +0200

Changed in krfb (Ubuntu Utopic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers