Debian 10225 Published by

The following two updates are avaiable for Debian 6 LTS:

[DLA 374-3] cacti regression update
[DLA 380-1] libvncserver security update



[DLA 374-3] cacti regression update

Package : cacti
Version : 0.8.7g-1+squeeze9+deb6u13
CVE ID : CVE-2015-8369
Debian Bug : 807599

It was discovered that there was a regression in the patch intended to fix
CVE-2015-8369 in the recent upload of cacti 0.8.7g-1+squeeze9+deb6u12.

For Debian 6 Squeeze, this issue has been fixed in cacti version
0.8.7g-1+squeeze9+deb6u13.

[DLA 380-1] libvncserver security update

Package : libvncserver
Version : 0.9.7-2+deb6u2


An issue had been discovered and resolved by the libvncserver upstream
developer Karl Runge addressing thread-safety in libvncserver when
libvncserver is used for handling multiple VNC connections [1].

Unfortunately, it is not trivially feasible (because of ABI breakage) to
backport the related patch to libvncserver 0.9.7 as shipped in Debian
squeeze(-lts).

However, the thread-safety patch discussed resolved a related issue of
memory corruption caused by freeing global variables without nullifying
them when reusing them in another "thread", especially occurring when
libvncserver is used for handling multiple VNC connections

The described issue has been resolved with this version of libvncserver
and users of VNC are recommended to upgrade to this version of the
package.

[1] https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6