|Summary:||security/vuxml: Multiple security vulnerabilities in net/libvncserver|
|Product:||Ports & Packages||Reporter:||Sevan Janiyan <venture37>|
|Component:||Individual Port(s)||Assignee:||Mark Felder <feld>|
|Severity:||Affects Some People||CC:||feld, ports-secteam, vlad-fbsd|
Description Sevan Janiyan 2016-09-05 00:00:58 UTC
CVE-2014-6054 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6054
Comment 1 VK 2016-10-07 11:32:12 UTC
Created attachment 175489 [details] Add multiple vulns entry for libvncserver It looks to me these issues have been fixed for 0.9.8 and 0.9.9, but I can't get a clear confirmation on that looking at the github commits. We have just recently bumped libvncserver to 0.9.10 (2016-06-24, revision 417416), that version is in the head and 2016-Q4, so I'm marking the vuln for libvncserver < 0.9.10. Someone please check if I'm wrong.
Comment 2 VK 2016-10-07 11:39:06 UTC
Quick note, I was looking at the wrong commits (debian backports to 0.9.9), so these issues have been reported a month before 0.9.10 was tagged back in 2014. It is also possible not all of them have been fixed for 0.9.10.
Comment 3 Mark Felder 2016-10-12 01:22:17 UTC
Comment 4 commit-hook 2016-10-12 01:22:50 UTC
A commit references this bug: Author: feld Date: Wed Oct 12 01:22:05 UTC 2016 New revision: 423815 URL: https://svnweb.freebsd.org/changeset/ports/423815 Log: Document libvncserver vulnerabilities PR: 212380 Security: CVE-2014-6051 Security: CVE-2014-6052 Security: CVE-2014-6053 Security: CVE-2014-6054 Security: CVE-2014-6055 Changes: head/security/vuxml/vuln.xml