CVE-2014-6054 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6054
Created attachment 175489 [details]
Add multiple vulns entry for libvncserver
It looks to me these issues have been fixed for 0.9.8 and 0.9.9, but I can't get a clear confirmation on that looking at the github commits. We have just recently bumped libvncserver to 0.9.10 (2016-06-24, revision 417416), that version is in the head and 2016-Q4, so I'm marking the vuln for libvncserver < 0.9.10.
Someone please check if I'm wrong.
Quick note, I was looking at the wrong commits (debian backports to 0.9.9), so these issues have been reported a month before 0.9.10 was tagged back in 2014. It is also possible not all of them have been fixed for 0.9.10.
A commit references this bug:
Date: Wed Oct 12 01:22:05 UTC 2016
New revision: 423815
Document libvncserver vulnerabilities