Bug 212380

Summary:

security/vuxml: Multiple security vulnerabilities in net/libvncserver

Product:

Ports & Packages

Reporter:

Sevan Janiyan <venture37>

Component:

Individual Port(s)

Assignee:

Mark Felder <feld>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

feld, ports-secteam, vlad-fbsd

Priority:

---

Keywords:

patch, security

Version:

Latest

Hardware:

Any

OS:

Any

URL:

http://seclists.org/oss-sec/2014/q3/639

Attachments:

Description	Flags
Add multiple vulns entry for libvncserver	none

Description Sevan Janiyan 2016-09-05 00:00:58 UTC

CVE-2014-6054 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6054

Comment 1 VK 2016-10-07 11:32:12 UTC

Created attachment 175489 [details]
Add multiple vulns entry for libvncserver

It looks to me these issues have been fixed for 0.9.8 and 0.9.9, but I can't get a clear confirmation on that looking at the github commits. We have just recently bumped libvncserver to 0.9.10 (2016-06-24, revision 417416), that version is in the head and 2016-Q4, so I'm marking the vuln for libvncserver < 0.9.10.

Someone please check if I'm wrong.

Comment 2 VK 2016-10-07 11:39:06 UTC

Quick note, I was looking at the wrong commits (debian backports to 0.9.9), so these issues have been reported a month before 0.9.10 was tagged back in 2014. It is also possible not all of them have been fixed for 0.9.10.

Comment 3 Mark Felder freebsd_committer

2016-10-12 01:22:17 UTC

Committed, thanks!

Comment 4 commit-hook freebsd_committer

2016-10-12 01:22:50 UTC

A commit references this bug:

Author: feld
Date: Wed Oct 12 01:22:05 UTC 2016
New revision: 423815
URL: https://svnweb.freebsd.org/changeset/ports/423815

Log:
  Document libvncserver vulnerabilities

  PR:		212380
  Security:	CVE-2014-6051
  Security:	CVE-2014-6052
  Security:	CVE-2014-6053
  Security:	CVE-2014-6054
  Security:	CVE-2014-6055

Changes:
  head/security/vuxml/vuln.xml