Package: vnc4 Version: 4.1.1 X4.3.0-37.6 b1 Tags: security,fixed-upstream Hello!
Today I stumbled about the fact that the current Xvnc4 server delivered by Debian is vulnerable to a 10 year old security problem, namely CVE-2006-2369. In short: If a VNC password is configured, but a malicious VNC client nevertheless sends secType=authNone, it can proceed without password verification. This can be easily proved by building such a malicious client with the patch found here, for example: http://www.securityfocus.com/archive/1/archive/1/438175/100/0/threaded The CVE description claims the problem has been fixed in upstream version 4.1.2. So I'd suggest to either switch to that version, or to extract the secTypes fix from there. Thanks! Roman
