Hi Steffen I'll upload a new package when built. Can the package be built using etch as that is what I have on mu main Debian development machine? I know that I got restrictions on some other package lately.
Best regards, // Ola On Thu, Jan 29, 2009 at 05:30:24PM -0500, Steffen Joeris wrote: > Package: xvnc4viewer > Severity: grave > Tags: security, patch > Justification: user security hole > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for vnc4. > > CVE-2008-4770[0]: > | The CMsgReader::readRect function in the VNC Viewer component in > | RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 > | through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote > | VNC servers to execute arbitrary code via crafted RFB protocol data, > | related to "encoding type." > > The upstream patch[1] can be found in the redhat bugreport[2]. > > For lenny, this could be fixed via migration from unstable. Please CC > secure-testing-t...@lists.alioth.debian.org when you email the release > team and ask for the unblock, so we are kept in the loop. > > I guess the issue is also severe enough to warrant a DSA update. I > haven't tried to exploit it yet though. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > Cheers > Steffen > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4770 > http://security-tracker.debian.net/tracker/CVE-2008-4770 > [1] https://bugzilla.redhat.com/attachment.cgi?id=329323 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=480590 > > > -- --------------------- Ola Lundqvist --------------------------- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
