LibVNCServer-devel-0.9.13-3.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10598 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z LibVNCServer-devel-0.9.13-3.1 on GA media These are all security issues fixed in the LibVNCServer-devel-0.9.13-3.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10598 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10598 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-2450/ SUSE CVE CVE-2006-2450 page https://www.suse.com/security/cve/CVE-2017-18922/ SUSE CVE CVE-2017-18922 page https://www.suse.com/security/cve/CVE-2018-15126/ SUSE CVE CVE-2018-15126 page https://www.suse.com/security/cve/CVE-2018-15127/ SUSE CVE CVE-2018-15127 page https://www.suse.com/security/cve/CVE-2018-20019/ SUSE CVE CVE-2018-20019 page https://www.suse.com/security/cve/CVE-2018-20020/ SUSE CVE CVE-2018-20020 page https://www.suse.com/security/cve/CVE-2018-20021/ SUSE CVE CVE-2018-20021 page https://www.suse.com/security/cve/CVE-2018-20022/ SUSE CVE CVE-2018-20022 page https://www.suse.com/security/cve/CVE-2018-20023/ SUSE CVE CVE-2018-20023 page https://www.suse.com/security/cve/CVE-2018-20024/ SUSE CVE CVE-2018-20024 page https://www.suse.com/security/cve/CVE-2018-20748/ SUSE CVE CVE-2018-20748 page https://www.suse.com/security/cve/CVE-2018-20749/ SUSE CVE CVE-2018-20749 page https://www.suse.com/security/cve/CVE-2018-20750/ SUSE CVE CVE-2018-20750 page https://www.suse.com/security/cve/CVE-2018-21247/ SUSE CVE CVE-2018-21247 page https://www.suse.com/security/cve/CVE-2018-6307/ SUSE CVE CVE-2018-6307 page https://www.suse.com/security/cve/CVE-2018-7225/ SUSE CVE CVE-2018-7225 page https://www.suse.com/security/cve/CVE-2019-15681/ SUSE CVE CVE-2019-15681 page https://www.suse.com/security/cve/CVE-2019-15690/ SUSE CVE CVE-2019-15690 page https://www.suse.com/security/cve/CVE-2019-20788/ SUSE CVE CVE-2019-20788 page https://www.suse.com/security/cve/CVE-2019-20839/ SUSE CVE CVE-2019-20839 page https://www.suse.com/security/cve/CVE-2019-20840/ SUSE CVE CVE-2019-20840 page https://www.suse.com/security/cve/CVE-2020-14397/ SUSE CVE CVE-2020-14397 page https://www.suse.com/security/cve/CVE-2020-14398/ SUSE CVE CVE-2020-14398 page https://www.suse.com/security/cve/CVE-2020-14399/ SUSE CVE CVE-2020-14399 page https://www.suse.com/security/cve/CVE-2020-14400/ SUSE CVE CVE-2020-14400 page https://www.suse.com/security/cve/CVE-2020-14401/ SUSE CVE CVE-2020-14401 page https://www.suse.com/security/cve/CVE-2020-14402/ SUSE CVE CVE-2020-14402 page https://www.suse.com/security/cve/CVE-2020-14403/ SUSE CVE CVE-2020-14403 page https://www.suse.com/security/cve/CVE-2020-14404/ SUSE CVE CVE-2020-14404 page https://www.suse.com/security/cve/CVE-2020-25708/ SUSE CVE CVE-2020-25708 page openSUSE Tumbleweed LibVNCServer-devel-0.9.13-3.1 libvncclient1-0.9.13-3.1 libvncserver1-0.9.13-3.1 LibVNCServer-devel-0.9.13-3.1 as a component of openSUSE Tumbleweed libvncclient1-0.9.13-3.1 as a component of openSUSE Tumbleweed libvncserver1-0.9.13-3.1 as a component of openSUSE Tumbleweed auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369. CVE-2006-2450 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-2450.html CVE-2006-2450 https://bugzilla.suse.com/184418 SUSE Bug 184418 It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow. CVE-2017-18922 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-18922.html CVE-2017-18922 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution CVE-2018-15126 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-15126.html CVE-2018-15126 https://bugzilla.suse.com/1120114 SUSE Bug 1120114 LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution CVE-2018-15127 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-15127.html CVE-2018-15127 https://bugzilla.suse.com/1120117 SUSE Bug 1120117 https://bugzilla.suse.com/1123828 SUSE Bug 1123828 https://bugzilla.suse.com/1123832 SUSE Bug 1123832 LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution CVE-2018-20019 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20019.html CVE-2018-20019 https://bugzilla.suse.com/1120118 SUSE Bug 1120118 https://bugzilla.suse.com/1123823 SUSE Bug 1123823 https://bugzilla.suse.com/1155442 SUSE Bug 1155442 LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution CVE-2018-20020 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20020.html CVE-2018-20020 https://bugzilla.suse.com/1120116 SUSE Bug 1120116 https://bugzilla.suse.com/1155472 SUSE Bug 1155472 LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM CVE-2018-20021 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20021.html CVE-2018-20021 https://bugzilla.suse.com/1120122 SUSE Bug 1120122 LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR CVE-2018-20022 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20022.html CVE-2018-20022 https://bugzilla.suse.com/1120120 SUSE Bug 1120120 LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR CVE-2018-20023 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20023.html CVE-2018-20023 https://bugzilla.suse.com/1120119 SUSE Bug 1120119 LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS. CVE-2018-20024 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20024.html CVE-2018-20024 https://bugzilla.suse.com/1120121 SUSE Bug 1120121 LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete. CVE-2018-20748 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20748.html CVE-2018-20748 https://bugzilla.suse.com/1120118 SUSE Bug 1120118 https://bugzilla.suse.com/1123823 SUSE Bug 1123823 https://bugzilla.suse.com/1155442 SUSE Bug 1155442 LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete. CVE-2018-20749 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20749.html CVE-2018-20749 https://bugzilla.suse.com/1120117 SUSE Bug 1120117 https://bugzilla.suse.com/1123828 SUSE Bug 1123828 https://bugzilla.suse.com/1123832 SUSE Bug 1123832 LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete. CVE-2018-20750 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20750.html CVE-2018-20750 https://bugzilla.suse.com/1120117 SUSE Bug 1120117 https://bugzilla.suse.com/1123832 SUSE Bug 1123832 An issue was discovered in LibVNCServer before 0.9.13. There is an information leak (of uninitialized memory contents) in the libvncclient/rfbproto.c ConnectToRFBRepeater function. CVE-2018-21247 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-21247.html CVE-2018-21247 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173874 SUSE Bug 1173874 LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution. CVE-2018-6307 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-6307.html CVE-2018-6307 https://bugzilla.suse.com/1120115 SUSE Bug 1120115 An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2018-7225 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7225.html CVE-2018-7225 https://bugzilla.suse.com/1081493 SUSE Bug 1081493 https://bugzilla.suse.com/1090647 SUSE Bug 1090647 LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. CVE-2019-15681 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-15681.html CVE-2019-15681 https://bugzilla.suse.com/1155419 SUSE Bug 1155419 unknown CVE-2019-15690 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-15690.html CVE-2019-15690 https://bugzilla.suse.com/1160471 SUSE Bug 1160471 https://bugzilla.suse.com/1170441 SUSE Bug 1170441 libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690. CVE-2019-20788 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20788.html CVE-2019-20788 https://bugzilla.suse.com/1170441 SUSE Bug 1170441 https://bugzilla.suse.com/1173698 SUSE Bug 1173698 libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflow via a long socket filename. CVE-2019-20839 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20839.html CVE-2019-20839 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173875 SUSE Bug 1173875 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws_decode.c can lead to a crash because of unaligned accesses in hybiReadAndDecode. CVE-2019-20840 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20840.html CVE-2019-20840 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173876 SUSE Bug 1173876 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference. CVE-2020-14397 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14397.html CVE-2020-14397 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173700 SUSE Bug 1173700 An issue was discovered in LibVNCServer before 0.9.13. An improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c. CVE-2020-14398 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14398.html CVE-2020-14398 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173880 SUSE Bug 1173880 ** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed." CVE-2020-14399 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14399.html CVE-2020-14399 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173743 SUSE Bug 1173743 ** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary. CVE-2020-14400 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14400.html CVE-2020-14400 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173691 SUSE Bug 1173691 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has a pixel_value integer overflow. CVE-2020-14401 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14401.html CVE-2020-14401 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173694 SUSE Bug 1173694 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.c allows out-of-bounds access via encodings. CVE-2020-14402 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14402.html CVE-2020-14402 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173701 SUSE Bug 1173701 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/hextile.c allows out-of-bounds access via encodings. CVE-2020-14403 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14403.html CVE-2020-14403 https://bugzilla.suse.com/1173701 SUSE Bug 1173701 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rre.c allows out-of-bounds access via encodings. CVE-2020-14404 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14404.html CVE-2020-14404 https://bugzilla.suse.com/1173701 SUSE Bug 1173701 A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious client could use this flaw to send a specially crafted message that, when processed by the VNC server, would lead to a floating point exception, resulting in a denial of service. CVE-2020-25708 openSUSE Tumbleweed:LibVNCServer-devel-0.9.13-3.1 openSUSE Tumbleweed:libvncclient1-0.9.13-3.1 openSUSE Tumbleweed:libvncserver1-0.9.13-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25708.html CVE-2020-25708 https://bugzilla.suse.com/1178682 SUSE Bug 1178682