Fedora and openSUSE have issued advisories on March 27 and 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YYNK6ZTW4QSUNWBL3YCZXRC3QMHW7FZK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V6H5NGCIXRMSMA2PEJLBN2LGSLRTCF7L/ https://lists.opensuse.org/opensuse-updates/2018-03/msg00113.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers.
CC: (none) => cjw, geiger.david68210, lmenut, mageia, marja11, mramboAssignee: bugsquad => pkg-bugs
Done!
Advisory: ======================== Updated libvncserver packages fix security vulnerability: An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets (CVE-2018-7225). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YYNK6ZTW4QSUNWBL3YCZXRC3QMHW7FZK/ ======================== Updated packages in core/updates_testing: ======================== libvncserver0-0.9.10-1.3.mga5 libvncserver-devel-0.9.10-1.3.mga5 libvncserver1-0.9.11-1.1.mga6 libvncserver-devel-0.9.11-1.1.mga6 from SRPMS: libvncserver-0.9.10-1.3.mga5.src.rpm libvncserver-0.9.11-1.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs
Installed and tested without issues. Tested using x11vnc for the server, running locally and remotely (ssh forwarded), and krdc for the client. System local server: Mageia 6, x86_64, Xorg, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. System remove server: Mageia 6, x86_64, Xvfb, Openbox, Intel CPU, ssh forwarded. System client: Mageia 6, x86_64, Xorg, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ urpmq --whatrequires libvncserver1-0.9.11-1.1.mga6 | sort -u krdc krfb libvncserver1 libvncserver-devel linuxvnc remmina-plugins-vnc x11vnc
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Used x11vnc for the server, vncviewer for the client. I could connect locally as well as from desktop PC to the laptop (MGA6, AMD cpu, Plasma). OK to me.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0198.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED