This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============5420915004510198728== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="j2ghWQd4tRfAe7Dt0wQJrzMbsBkXvWWKY"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --j2ghWQd4tRfAe7Dt0wQJrzMbsBkXvWWKY Content-Type: multipart/mixed; boundary="T94GiC24Gg7cfgiqssB5ZXQ7OBusqzyIS"
--T94GiC24Gg7cfgiqssB5ZXQ7OBusqzyIS Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable Content-Language: en-US
========================================================================== Ubuntu Security Notice USN-4407-1 July 01, 2020
libvncserver vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS - Ubuntu 19.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in LibVNCServer.
Software Description: - libvncserver: vnc server library
Details:
It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680)
It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)
It was discovered that LibVNCServer incorrectly handled cursor shape updates. If a user were tricked in to connecting to a malicious server, an attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15690, CVE-2019-20788)
It was discovered that LibVNCServer incorrectly handled decoding WebSocket frames. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2017-18922)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04 LTS: libvncclient1 0.9.12+dfsg-9ubuntu0.1 libvncserver1 0.9.12+dfsg-9ubuntu0.1
Ubuntu 19.10: libvncclient1 0.9.11+dfsg-1.3ubuntu0.1 libvncserver1 0.9.11+dfsg-1.3ubuntu0.1
Ubuntu 18.04 LTS: libvncclient1 0.9.11+dfsg-1ubuntu1.2 libvncserver1 0.9.11+dfsg-1ubuntu1.2
Ubuntu 16.04 LTS: libvncclient1 0.9.10+dfsg-3ubuntu0.16.04.4 libvncserver1 0.9.10+dfsg-3ubuntu0.16.04.4
After a standard system update you need to restart LibVNCServer to make all the necessary changes.
References: https://usn.ubuntu.com/4407-1 CVE-2017-18922, CVE-2019-15680, CVE-2019-15681, CVE-2019-15690, CVE-2019-20788
Package Information: https://launchpad.net/ubuntu/+source/libvncserver/0.9.12+dfsg-9ubuntu0.1 https://launchpad.net/ubuntu/+source/libvncserver/0.9.11+dfsg-1.3ubuntu0.1 https://launchpad.net/ubuntu/+source/libvncserver/0.9.11+dfsg-1ubuntu1.2 https://launchpad.net/ubuntu/+source/libvncserver/0.9.10+dfsg-3ubuntu0.16.04.4
--T94GiC24Gg7cfgiqssB5ZXQ7OBusqzyIS--
--j2ghWQd4tRfAe7Dt0wQJrzMbsBkXvWWKY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl790gcACgkQtGdj0GOh 2+yaTwf/eah1Zadpmjt9z4VoRfzWqv9HLC+x6589/CAF8gVtxrAWabxmrOXfBr8X xmDWzPPZKqw7FbK1CAnXoFq1z8UxifTNYEYszelJryXVwxmmvP3VArNZ5QFGPVKn ft88uOiX2UEiz1EpEubuUWx7PHGi1msb0RdBhKpPatF8xOczwKw3jDJU2b65hYlG GMmlCAN1qsvSrz2u74FnSLOdwGE+Il0/YTs/7aJ/F88KcBUxOc+vlu74d6VCu2u6 I+y2wDOQA6HGkUBs8RtPjb6nI+y5cw1UvfuIEVmvYpcpjfUoPsMGIygq6lglYmmW RtAr/uXesPidn6eKLsfCHEqXwzkcpg== =sNcM -----END PGP SIGNATURE-----
--j2ghWQd4tRfAe7Dt0wQJrzMbsBkXvWWKY--
--===============5420915004510198728== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5 LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj dXJpdHktYW5ub3VuY2UK
--===============5420915004510198728==--
|