Oracle alert ELSA-2024-10090 (tigervnc)

From:
             
 
Errata Announcements for Oracle Linux via El-errata <el-errata@oss.oracle.com>
To:
             
 
el-errata@oss.oracle.com
Subject:
             
 
[El-errata] ELSA-2024-10090 Important: Oracle Linux 9 tigervnc security update
Date:
             
 
Thu, 21 Nov 2024 06:43:03 -0800
Message-ID:
             
 
<mailman.894.1732200194.5621.el-errata@oss.oracle.com>
Oracle Linux Security Advisory ELSA-2024-10090

http://linux.oracle.com/errata/ELSA-2024-10090.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
tigervnc-1.14.1-1.el9_5.x86_64.rpm
tigervnc-icons-1.14.1-1.el9_5.noarch.rpm
tigervnc-license-1.14.1-1.el9_5.noarch.rpm
tigervnc-selinux-1.14.1-1.el9_5.noarch.rpm
tigervnc-server-1.14.1-1.el9_5.x86_64.rpm
tigervnc-server-minimal-1.14.1-1.el9_5.x86_64.rpm
tigervnc-server-module-1.14.1-1.el9_5.x86_64.rpm

aarch64:
tigervnc-1.14.1-1.el9_5.aarch64.rpm
tigervnc-icons-1.14.1-1.el9_5.noarch.rpm
tigervnc-license-1.14.1-1.el9_5.noarch.rpm
tigervnc-selinux-1.14.1-1.el9_5.noarch.rpm
tigervnc-server-1.14.1-1.el9_5.aarch64.rpm
tigervnc-server-minimal-1.14.1-1.el9_5.aarch64.rpm
tigervnc-server-module-1.14.1-1.el9_5.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//tigervnc-1.14.1-...

Related CVEs:

CVE-2024-9632




Description of changes:

[1.14.1-1]
- 1.14.1
  Resolves: RHEL-66600
- Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation
vulnerability
  Resolves: RHEL-62000

[1.13.1-11]
- vncsession: use /bin/sh if the user shell is not set
  Resolves: RHEL-50679

[1.13.1-10]
- vncconfig: add option to force view-only remote client connections
  Resolves: RHEL-12144

[1.13.1-9]
- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in
ProcXIGetSelectedEvents
  Resolves: RHEL-30756
- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
  Resolves: RHEL-30768
- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in
ProcXIPassiveGrabDevice
  Resolves: RHEL-30762

[1.13.1-8]
- Fix copy/paste error in the DeviceStateNotify
  Resolves: RHEL-20533

[1.13.1-7]
- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
  Resolves: RHEL-20389
- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
  Resolves: RHEL-20383
- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to
out-of-bounds memory access
  Resolves: RHEL-20533
- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and
ProcXIQueryPointer
  Resolves: RHEL-21213

[1.13.1-6]
- Use dup() to get available file descriptor when using -inetd option
  Resolves: RHEL-19858

[1.13.1-5]
- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button
actions
  Resolves: RHEL-18414
- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty
and RRChangeProviderProperty
  Resolves: RHEL-18426

[1.13.1-4]
- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
  Resolves: RHEL-15237

- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in
XIChangeDeviceProperty/RRChangeOutputProperty
  Resolves: RHEL-15249

[1.13.1-3]
- Support username alias in PlainUsers
  Resolves: RHEL-8430

[1.13.1-2]
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
  Escalation Vulnerability
  Resolves: bz#2180310

[1.13.1-1]
- 1.13.1
  Resolves: bz#2175732

[1.12.0-12]
- SELinux: allow vncsession create .vnc directory
  Resolves: bz#2164703

[1.12.0-11]
- Add sanity check when cleaning up keymap changes
  Resolves: bz#2169965

[1.12.0-10]
- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
  Resolves: bz#2167061

[1.12.0-9]
- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix

[1.12.0-8]
- Rebuild for xorg-x11-server CVEs
  Resolves: CVE-2022-4283 (bz#2154234)
  Resolves: CVE-2022-46340 (bz#2154221)
  Resolves: CVE-2022-46341 (bz#2154224)
  Resolves: CVE-2022-46342 (bz#2154226)
  Resolves: CVE-2022-46343 (bz#2154228)
  Resolves: CVE-2022-46344 (bz#2154230)

[1.12.0-7]
- x0vncserver: add new keysym in case we don't find matching keycode
  + actually apply the patch
  Resolves: bz#2119017

[1.12.0-6]
- x0vncserver: add new keysym in case we don't find matching keycode
  Resolves: bz#2119017


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata