The following two updates are avaiable for Debian 6 LTS:
[DLA 374-3] cacti regression update
[DLA 380-1] libvncserver security update
[DLA 374-3] cacti regression update
[DLA 380-1] libvncserver security update
[DLA 374-3] cacti regression update
Package : cacti
Version : 0.8.7g-1+squeeze9+deb6u13
CVE ID : CVE-2015-8369
Debian Bug : 807599
It was discovered that there was a regression in the patch intended to fix
CVE-2015-8369 in the recent upload of cacti 0.8.7g-1+squeeze9+deb6u12.
For Debian 6 Squeeze, this issue has been fixed in cacti version
0.8.7g-1+squeeze9+deb6u13.
[DLA 380-1] libvncserver security update
Package : libvncserver
Version : 0.9.7-2+deb6u2
An issue had been discovered and resolved by the libvncserver upstream
developer Karl Runge addressing thread-safety in libvncserver when
libvncserver is used for handling multiple VNC connections [1].
Unfortunately, it is not trivially feasible (because of ABI breakage) to
backport the related patch to libvncserver 0.9.7 as shipped in Debian
squeeze(-lts).
However, the thread-safety patch discussed resolved a related issue of
memory corruption caused by freeing global variables without nullifying
them when reusing them in another "thread", especially occurring when
libvncserver is used for handling multiple VNC connections
The described issue has been resolved with this version of libvncserver
and users of VNC are recommended to upgrade to this version of the
package.
[1] https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6
