Hi Roman Thanks for the report. Sorry for the answer delay. This mail was hidden among a number of auto-generated bugs so I did not spot it until today. I'll have a look at this asap.
// Ola On Fri, Mar 4, 2016 at 4:56 PM, <ro...@hodek.net> wrote: > Package: vnc4 > Version: 4.1.1 X4.3.0-37.6 b1 > Tags: security,fixed-upstream > > Hello! > > Today I stumbled about the fact that the current Xvnc4 server delivered by > Debian is vulnerable to a 10 year old security problem, namely > CVE-2006-2369. > > In short: If a VNC password is configured, but a malicious VNC client > nevertheless sends secType=authNone, it can proceed without password > verification. > > This can be easily proved by building such a malicious client with the > patch > found here, for example: > http://www.securityfocus.com/archive/1/archive/1/438175/100/0/threaded > > The CVE description claims the problem has been fixed in upstream version > 4.1.2. So I'd suggest to either switch to that version, or to extract the > secTypes fix from there. > > Thanks! > Roman > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
