Ubuntu
krfb package

vulnerabilities in libvncserver

Bug #1374043 reported by Jonathan Riddell
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krfb (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned

Bug Description

http://www.kde.org/info/security/advisory-20140923-1.txt

krfb 4.14 embeds libvncserver which has had several security issues.

For future versions krfb instead depends on a system-installed
libvncserver, but for 4.14 the bundled version needs to be updated.

Revision history for this message
Jonathan Riddell (jr) wrote :
Seth Arnold (seth-arnold)
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krfb - 4:4.13.3-0ubuntu1.1

---------------
krfb (4:4.13.3-0ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: krfb: multiple security issues in libvncserver.
    (LP: #1374043)
    - Add upstream_libvncserver-vulnerabilities.diff
    - http://www.kde.org/info/security/advisory-20140923-1.txt
    - CVE-2014-6053
    - CVE-2014-6054
    - CVE-2014-6055
 -- Jonathan Riddell <email address hidden> Thu, 25 Sep 2014 18:55:56 +0200

Changed in krfb (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Jonathan.

I slightly amended the changelog to reflect the different fixed CVEs and use our consistent style for referencing launchpad bugs:

  * SECURITY UPDATE: krfb: multiple security issues in libvncserver.
    (LP: #1374043)
    - Add upstream_libvncserver-vulnerabilities.diff
    - http://www.kde.org/info/security/advisory-20140923-1.txt
    - CVE-2014-6053
    - CVE-2014-6054
    - CVE-2014-6055

Please use something similar for your Utopic upload. (I built a 4:4.14.0-0ubuntu2.1 in our security ppa for Utopic, but I forgot you can upload to Utopic directly without jumping through the security sponsor process; I can't recall if launchpad will give you trouble if you try to use the same version number I did, but if you get an error message that doesn't make sense, this might be it.)

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krfb - 4:4.14.1-0ubuntu2

---------------
krfb (4:4.14.1-0ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: krfb: multiple security issues in libvncserver.
   - Add upstream_libvncserver-vulnerabilities.diff
   - http://www.kde.org/info/security/advisory-20140923-1.txt
   - CVE-2014-6055
   - LP: #1374043
 -- Jonathan Riddell <email address hidden> Thu, 25 Sep 2014 18:46:58 +0200

Changed in krfb (Ubuntu Utopic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.