New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 5.9
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionUpdated libvncserver packages fix security vulnerabilities :
A malicious VNC server can trigger incorrect memory management handling by advertising a large screen size parameter to the VNC client. This would result in multiple memory corruptions and could allow remote code execution on the VNC client (CVE-2014-6051, CVE-2014-6052).
A malicious VNC client can trigger multiple DoS conditions on the VNC server by advertising a large screen size, ClientCutText message length and/or a zero scaling factor parameter (CVE-2014-6053, CVE-2014-6054).
A malicious VNC client can trigger multiple stack-based buffer overflows by passing a long file and directory names and/or attributes (FileTime) when using the file transfer message feature (CVE-2014-6055).
Additionally libvncserver has been built against the new system minilzo library which is also being provided with this advisory.
SolutionUpdate the affected packages.