Your message dated Thu, 28 Nov 2019 23:04:59 +0000 with message-id <e1iasqj-000ea8...@fasolo.debian.org> and subject line Bug#943793: fixed in libvncserver 0.9.12+dfsg-1 has caused the Debian Bug report #943793, regarding libvncserver: CVE-2019-15681 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 943793: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943793 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libvncserver Version: 0.9.11+dfsg-1.3 Severity: grave Tags: security upstream Control: found -1 0.9.11+dfsg-1.3~deb9u1 Hi, The following vulnerability was published for libvncserver, severity is choosen to be rather on safe side and issue has not been fully checked/investigated for impact/attack vector. CVE-2019-15681[0]: | LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains | a memory leak (CWE-655) in VNC server code, which allow an attacker to | read stack memory and can be abused for information disclosure. | Combined with another vulnerability, it can be used to leak stack | memory and bypass ASLR. This attack appear to be exploitable via | network connectivity. These vulnerabilities have been fixed in commit | d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-15681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libvncserver Source-Version: 0.9.12+dfsg-1 We believe that the bug you reported is fixed in the latest version of libvncserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 943...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated libvncserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 28 Nov 2019 23:43:20 +0100 Source: libvncserver Architecture: source Version: 0.9.12+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian Remote Maintainers <debian-rem...@lists.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 918777 943793 Changes: libvncserver (0.9.12+dfsg-1) experimental; urgency=medium . * New upstream release to experimental. (Closes: #918777). * debian/{control,compat}: + Switch to debhelper-compat notation. Bump DH compat level to version 12. * debian/control: + Bump Standards-Version: to 4.4.1. No changes needed. + Add Rules-Requires-Root: field and set it to "no". + Move package maintenance to Debian Remote Maintainers team, after personal communication with Peter Spiess-Knafl. Thanks for all previous contributions. Also, make myself uploader. + Update Vcs-*: fields. Packaging VCS has been moved over to salsa.debian.org. + Update B-Ds; Use cmake for building this package from now on. Autotools support has been dropped by upstream. + Add B-D: liblzo2-dev. Avoid building embedded miniLZO implementation. + Add B-D: libsasl2-dev. * debian/patches: + Drop 0001-ignore_webclients.patch. No automake support available in upstream sources anymore. + Drop remove-libpng.patch. Not required anymore since cmake build switch. + Add 0001_cmake-multiarch-support.patch. Fix install_targets, so that they install to multi-arch libdir. + CVE-2019-15681: Add CVE-2019-15681.patch. rfbserver: don't leak stack memory to the remote. (Closes: #943793). * debian/rules: + Add get-orig-source target for maintainers' convenience. + Fully switch to cmake based build. Make sure WITH_PNG gets disabled. + Enable all hardening flags. * debian/{control,libvncserver-config.*}: + Drop bin:pkg libvncserver-config. Replace by pkgconfig .pc files. * debian/libvnc*.symbols: + Update symbols files. + Add *Build-Depends-Package: meta-data fields. * debian/libvncserver-dev.install: + Drop *.a files. No built by cmake based build implementation anymore. * debian/{control,rules}: + Drop dbg:pkgs, start a very late dbgsym migration. * debian/source/lintian-overrides: + Override debug-symbol-migration-possibly-complete. It will be in bullseye+1. * debian/copyright: + Use secure URL in Format: field. * debian/libvncserver-dev.examples: + Install examples/ folder into dev:pkg. * debian/{changelog,control,copyright}: + Strip white-spaces off at EOLs. * debian/tests/smoketest-libvnc*: + Stop using $ADDTMP, replace by $AUTOPKGTEST_TMP. * debian/upstream/metadata: + Add DEP-12 compliant metadata file Checksums-Sha1: 43a7939b608a0672ab7ffc94e89b2afb516375fe 2316 libvncserver_0.9.12+dfsg-1.dsc 82646502282cb725eecc91a5d2b8f719bfc0aca1 406248 libvncserver_0.9.12+dfsg.orig.tar.xz a259d1ab83e5fb7c3074b1362693c2db7015a604 13524 libvncserver_0.9.12+dfsg-1.debian.tar.xz a613727e7f1323809712203bcab4895aae7ef603 8010 libvncserver_0.9.12+dfsg-1_source.buildinfo Checksums-Sha256: 15fff5208e00d65327e7f617c995a1b8c483b7594a9296162a428d72f1b4bc52 2316 libvncserver_0.9.12+dfsg-1.dsc 58c878cb9d1b26754076db4326e37032f51cfa25da4852049036e055c54f9fb9 406248 libvncserver_0.9.12+dfsg.orig.tar.xz ded0eda83dd981c581821b15fbf1822e586bfdf15f0957bedb0803e5b130534a 13524 libvncserver_0.9.12+dfsg-1.debian.tar.xz 05dfdaf370916da55f69f9ba23959feff306a661685d17f22cf69efdddd8984d 8010 libvncserver_0.9.12+dfsg-1_source.buildinfo Files: 31d82a747b904fb4b455f314c2714287 2316 libs optional libvncserver_0.9.12+dfsg-1.dsc 56a9a8d67b28e2bce3b8919eab58b95c 406248 libs optional libvncserver_0.9.12+dfsg.orig.tar.xz c6cc15183e2efbf8caa5faf3a4f0a9e1 13524 libs optional libvncserver_0.9.12+dfsg-1.debian.tar.xz 8ccc13e1f56005eb812d4a0feca93dd6 8010 libs optional libvncserver_0.9.12+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3gTZoVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxuxcP/RNsEfPTLRN2FmPZ8wO7hPtQlhSF GcJJqhYkhiim3Av8FwETXM+lcmKciOL3ys8Kzse7sjOt8I6P3ER37Hi2WeRpUAGu q7mjjnJruYCaJsTqU+t6tjHapqnjZMfxHEBSAzpyknrKGSf2vE9sCd359SOgPhlD PGg07rGPizf6KFzX2bAV094oHvug6I+LD+WWUzLeAT32vQQXlBnSL1G4Xw1XPJYj ujdywQTdmczUq3gkqDvNTY1gYnacEEnoPPJaI9az9bUMIMX7qz5AmFAQQN9nduMZ l1NTvyXWYMwFkySq5/DxK5EiZVUC7DP2wPgwyrhDkPRIJdCbaJYtHCR0amQw/fGO PWNjNEQC1YKx7V5YET1fKZCJ6BhIEq35QKvOVITS1FmgugBPuc0My2M+k+SE9/qI p3w6HY90mR8VDQiiBtaYDxRcdXS1xf1bmAtJY9dqyKiZWZpRL0TB3r43p4RLe8sy R/xED6huT1b8rNciZfdtAZTw2DOTEX26sVPH6PGhlUN6+A0mg+ZwxbRmV4vXSlc1 8xsutiPxNPQB+ThDgVFEbe8auvmGA1pan9j6Q5BJknIhVm0ONn9qjyODosGBEmZ4 2c8bG5k8z7UGSySYbk8eh/UlUCQt4/tiIwPmCp8tKduKzRWMkR4K2TS6cpFagHBn SSo30SgkAEC/pdEI =nTmC -----END PGP SIGNATURE-----
--- End Message ---
