Your message dated Fri, 03 Apr 2026 20:51:12 +0000
with message-id <[email protected]>
and subject line Bug#1132017: fixed in libvncserver 0.9.15+dfsg-3
has caused the Debian Bug report #1132017,
regarding libvncserver: CVE-2026-32854
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132017
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libvncserver
Version: 0.9.15+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libvncserver.
CVE-2026-32854[0]:
| LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee)
| contain null pointer dereference vulnerabilities in the HTTP proxy
| handlers within httpProcessInput() in httpd.c that allow remote
| attackers to cause a denial of service by sending specially crafted
| HTTP requests. Attackers can exploit missing validation of strchr()
| return values in the CONNECT and GET proxy handling paths to trigger
| null pointer dereferences and crash the server when httpd and proxy
| features are enabled.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32854
https://www.cve.org/CVERecord?id=CVE-2026-32854
[1]
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x
[2]
https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvncserver
Source-Version: 0.9.15+dfsg-3
Done: Sven Geuer <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Geuer <[email protected]> (supplier of updated libvncserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Apr 2026 21:20:31 +0200
Source: libvncserver
Architecture: source
Version: 0.9.15+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <[email protected]>
Changed-By: Sven Geuer <[email protected]>
Closes: 1132016 1132017
Changes:
libvncserver (0.9.15+dfsg-3) unstable; urgency=medium
.
* Team upload.
* debian/patches:
+ CVE-2026-32853: Add 0001_CVE-2026-32853.patch fixing a heap out-of-bounds
read (Closes: #1132016).
+ CVE-2026-32854: Add 0002_CVE-2026-32854.patch fixing NULL pointer
dereferences in httpd proxy handlers (Closes: #1132017).
Checksums-Sha1:
f02baf4cc26575b327efed5476525fedeb821228 2313 libvncserver_0.9.15+dfsg-3.dsc
b676cf72ed6318640b75e80d462f6a62e7b33e60 19680
libvncserver_0.9.15+dfsg-3.debian.tar.xz
8e8cefee7fd9460bdad68bf262389c9cb92c6760 8471
libvncserver_0.9.15+dfsg-3_amd64.buildinfo
Checksums-Sha256:
0e4955de6337e3718bb10e3c7d0332f7416462aec06342d30eff1c001f511f44 2313
libvncserver_0.9.15+dfsg-3.dsc
f5e6d5941520b0549aaba602f787fb3f0c85438f8efb4db811726d52f93aa2d8 19680
libvncserver_0.9.15+dfsg-3.debian.tar.xz
5981df0c21261821c468e0398c2e4efcb0f732da4fedee5a1c0431216725b6e4 8471
libvncserver_0.9.15+dfsg-3_amd64.buildinfo
Files:
f953c6426dccab6252c925674aefe693 2313 libs optional
libvncserver_0.9.15+dfsg-3.dsc
cbb47e01987600f5a7d5c779beb5cfbf 19680 libs optional
libvncserver_0.9.15+dfsg-3.debian.tar.xz
50a778797d47a05c7f840cc27906d986 8471 libs optional
libvncserver_0.9.15+dfsg-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAmnQFV0PHHNnZUBkZWJp
YW4ub3JnAAoJEK31Dtr4rdWFdbYQAL15WUWJh/lDr3OTRbm/MT6P/+Oe4da7Dp9P
L7723OAupKSGS+DpV4ervXnu03Qj58cxBAgH3CEsF6n0mau42Qu4e2Lfqn7HW7OB
7b4XGlMMz9xEkB6NZewpe7LvGErD8pfMJtdL5qFldDccZbxH0KO1ksQ1hjBBa66y
FpR0i1hBsjJrSmk71p2u/5gTbO16QTtCgU7/u6hjWt5fHMpiunM3+9uyNndU+QkR
3l632DpIZRLFrAGZLr35h8yesrZtJ3Pm3A8qQ2L0uQ4uLmT4od10eU/MzqYBjDE8
WaD0alsuOnqK4iYxNW+Mtjzc0DKRdOibPNW9zKYet9TvsyJK3BhWeJkY04JKn4pA
J54TIPGHVCSHGpdW1x3MsW0mnUxUi36tVbE+IIbDAxaayS8FRzywvpTo9IPded/f
ALSsiursIhkTYHz3UBzT4tnYeTlL7Y5Iv90uzKSzfl1sVwp9zQiCCp/JWZ0pVobo
Unk+Ze2UXko+GQITjJYrQYGqA1QLhVEX2Uony+8UfmKsJ013EmMdBp8Vu+QzNLmy
FeL7V3HcyfnUsx/0hPMkpefegyVV6N4m83eZo05/xefE1q+i35mRvhYCq9jXma/+
CyiUGYX8uZs+8A2cwqF7xTs8JvLr/GksaIEEZROE3rb6Nnlp6jMJo53fF04fjckH
BDk5qmzg
=g1WI
-----END PGP SIGNATURE-----
pgpOZtWPgXBJ_.pgp
Description: PGP signature
--- End Message ---
