fltk-1.3.4-1.el7, tigervnc-1.8.0-1.el7

エラータID: AXSA:2017-2026:01

リリース日: 
2017/09/04 Monday - 16:12
題名: 
fltk-1.3.4-1.el7, tigervnc-1.8.0-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

fltk
FLTK (pronounced "fulltick") is a cross-platform C GUI toolkit.
It provides modern GUI functionality without the bloat, and supports
3D graphics via OpenGL and its built-in GLUT emulation.

tigervnc
Virtual Network Computing (VNC) is a remote display system which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures. This package contains a
client which will allow you to connect to other desktops running a VNC
server.

CVE-2016-10207
Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before
21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via unspecified vectors, a different vulnerability
than CVE-2016-1012, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,
CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027,
CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, and CVE-2016-1033.
CVE-2017-5581
Buffer overflow in the ModifiablePixelBuffer::fillRect function in
TigerVNC before 1.7.1 allows remote servers to execute arbitrary code
via an RRE message with subrectangle outside framebuffer boundaries.
CVE-2017-7392
In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx
SSecurityVeNCrypt::SSecurityVeNCrypt), an unauthenticated client can
cause a small memory leak in the server.
CVE-2017-7393
In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an
authenticated client can cause a double free, leading to denial of
service or potentially code execution.
CVE-2017-7394
In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg),
unauthenticated users can crash the server by sending long usernames.
CVE-2017-7395
In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by
causing an integer overflow, an authenticated client can crash the
server.
CVE-2017-7396
In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an
unauthenticated client can cause a small memory leak in the server.

解決策: 

Update packages.

CVE: 
CVE-2016-10207
The Xvnc server in TigerVNC allows remote attackers to cause a denial of service (invalid memory access and crash) by terminating a TLS handshake early.
CVE-2016-1024
Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, and CVE-2016-1033.
CVE-2016-1028
Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1029, CVE-2016-1032, and CVE-2016-1033.
CVE-2017-5581
Buffer overflow in the ModifiablePixelBuffer::fillRect function in TigerVNC before 1.7.1 allows remote servers to execute arbitrary code via an RRE message with subrectangle outside framebuffer boundaries.
CVE-2017-7392
In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx SSecurityVeNCrypt::SSecurityVeNCrypt), an unauthenticated client can cause a small memory leak in the server.
CVE-2017-7393
In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an authenticated client can cause a double free, leading to denial of service or potentially code execution.
CVE-2017-7394
In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), unauthenticated users can crash the server by sending long usernames.
CVE-2017-7395
In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by causing an integer overflow, an authenticated client can crash the server.
CVE-2017-7396
In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an unauthenticated client can cause a small memory leak in the server.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. fltk-1.3.4-1.el7.src.rpm
    MD5: 30dac04147c2b5a9a3d76a90404d2373
    SHA-256: b3878f8a5c3aa41ae8ac68c11af1de6406328cb3265dc024671f55975fc88e54
    Size: 5.02 MB
  2. tigervnc-1.8.0-1.el7.src.rpm
    MD5: 63ec7f30a5f05dd19fd9304eb0ace185
    SHA-256: 17f7e4eb5e2eff9c5b78ada60fd6c759166396897cf7e00f58c918e59355061e
    Size: 1.40 MB

Asianux Server 7 for x86_64
  1. fltk-1.3.4-1.el7.x86_64.rpm
    MD5: f47725a8ad91fd637c609f11db7947e7
    SHA-256: b4e634be0df527a4d14d00160501e04e00119c9faedbda722e0bbd460a63bee6
    Size: 559.10 kB
  2. fltk-1.3.4-1.el7.i686.rpm
    MD5: 8d06144824028edc8cf1c38b9585d02c
    SHA-256: 909cb2e2a34c7c6a0aae377ca4802b1f6178b89e23f80835701fbd29764e41a4
    Size: 557.38 kB
  3. tigervnc-1.8.0-1.el7.x86_64.rpm
    MD5: a4bbfe41df4c8708da15d330f5f50b27
    SHA-256: be27c6e70cce0ec7587abd6ac0e0e2d23cc1a4068abf73421b8009a61cd31fd3
    Size: 237.55 kB
  4. tigervnc-icons-1.8.0-1.el7.noarch.rpm
    MD5: 954f401d9ead599861b96c416a1e1459
    SHA-256: 5a36653c1ec2e9ee3f065e91c10ebcb604fdc99ede9519c9907d16914670cddb
    Size: 35.83 kB
  5. tigervnc-license-1.8.0-1.el7.noarch.rpm
    MD5: 1377686c1cf7cda1427687c40fc5aa5b
    SHA-256: dd3cb17587f372db7e80c37fa3add4075b883e3a1bbe16ca7cb8a759156e1108
    Size: 26.59 kB
  6. tigervnc-server-1.8.0-1.el7.x86_64.rpm
    MD5: b8b29b325faeb3368d5bae42ec98d7cf
    SHA-256: d62e309bd9aa950af5bb050f857516b37135ec02f9aa75588a8ed612c69daecb
    Size: 212.19 kB
  7. tigervnc-server-minimal-1.8.0-1.el7.x86_64.rpm
    MD5: ce8029e74f3fb5b9abba8c5e541549e6
    SHA-256: d35b04d31d5cc87406695434f7fb2cf6f6769df5fd5fde85de39ba95ba96489a
    Size: 1.04 MB