[Secure-testing-team] Re: Version 4.1.2
Ola Lundqvist
ola at opalsys.net
Mon May 15 18:58:22 UTC 2006
Hi
I'm now building a new vnc package with your (Martins) patch.
Thanks a lot for the help.
For testing security team:
Read more about the issue on
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
http://it.slashdot.org/article.pl?sid=06/05/11/2344217&from=rss
http://www.freerepublic.com/focus/f-news/1630902/posts
http://www.securityfocus.com/archive/1/433994/30/0/threaded
The version will soon exist in unstable as vnc4_4.1.1+X4.3.0-10
I do not really suspect problem with the merge from unstable to testing
but I want you to be informed anyway.
// Ola
On Mon, May 15, 2006 at 01:05:29AM +0200, Martin Koegler wrote:
> On Sun, May 14, 2006 at 08:40:54PM +0200, Ola Lundqvist wrote:
> > I'l trying to locate the sources of 4.1.2, do you know where I can find it?
>
> At the moment, RealVNC has removed the current sources from their homepage.
> I tried to locate them yesterday, but I found none, so I tried to locate
> the security problem myself.
>
> In the meantime, the mailing lists have also disapeared from the RealVNC homepage (Google
> knows some mirrors, eg. opensubscriber.com).
>
> My impression is, that RealVNC is hidding all information (including sources/patches)
> about the authentification bypass, as this bug is relative easy to find and exploit, if
> you know, that it exists.
>
> As updates are available for all RealVNC Editions (and their KVM switch), the bugs seems
> to affect all of them. I assume, that they will therefore continue with their information
> hiding for some time.
>
> The only way to fix the security problem for self compiled version is my patch at the moment,
> as far as I know.
>
> mfg Martin Kögler
>
--
--- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ----
/ ola at opalsys.net Annebergsslingan 37 \
| opal at debian.org 654 65 KARLSTAD |
| http://www.opal.dhs.org Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the Secure-testing-team
mailing list