Your message dated Sat, 11 Jul 2026 12:07:55 +0000
with message-id <[email protected]>
and subject line Bug#1136644: fixed in neatvnc 0.9.1+dfsg-1.1
has caused the Debian Bug report #1136644,
regarding neatvnc: CVE-2026-42859
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136644: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136644
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: neatvnc
Version: CVE-2026-42859
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for neatvnc.

CVE-2026-42859[0]:
| Neat VNC is a VNC server library. Prior to 0.9.6, a pre-
| authentication stack buffer overflow exists in neatvnc in the RSA-
| AES security type handler. An unauthenticated remote attacker who
| can reach the VNC listening socket can send a crafted security type
| 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an
| oversized client RSA public key, causing rsa_aes_send_challenge in
| src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when
| encrypting the server challenge. This results in at least a denial
| of service via server crash. This vulnerability is fixed in 0.9.6.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42859
    https://www.cve.org/CVERecord?id=CVE-2026-42859
[1] https://github.com/any1/neatvnc/security/advisories/GHSA-567c-gpv8-qh9h
[2] 
https://github.com/any1/neatvnc/commit/1f6cd6b75cc167fed3a19a9d1552a1f662f6b337

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: neatvnc
Source-Version: 0.9.1+dfsg-1.1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
neatvnc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated neatvnc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 06 Jul 2026 20:56:40 +0300
Source: neatvnc
Architecture: source
Version: 0.9.1+dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Han Gao <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1136644
Changes:
 neatvnc (0.9.1+dfsg-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-42859: Buffer overflow with oversized RSA public keys
     (Closes: #1136644)
   * auth: vencrypt: Reject excessively long usernames and passwords
Checksums-Sha1:
 be2275bbdbeec7a26ec0f1b1ad798363eef49504 2103 neatvnc_0.9.1+dfsg-1.1.dsc
 6f9e5a04a77fa0479f5808367aa71e0e25867157 13988 
neatvnc_0.9.1+dfsg-1.1.debian.tar.xz
Checksums-Sha256:
 49f7ab7f6da4d9e5e527aa462fed472584b0617518acae91c52c4a8742e6c4af 2103 
neatvnc_0.9.1+dfsg-1.1.dsc
 255b2f172b417c0c6337fe3e5d9db2b1e032848d02e2e99b8d09496c70b31f8b 13988 
neatvnc_0.9.1+dfsg-1.1.debian.tar.xz
Files:
 4b5fa3293cbbc4165bc33881b2568ac0 2103 libs optional neatvnc_0.9.1+dfsg-1.1.dsc
 48df7ca2cb9e09c4b0113cd5e4993811 13988 libs optional 
neatvnc_0.9.1+dfsg-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpL7w4ACgkQiNJCh6LY
mLG+6BAAqOOMG7hcRj2FoR+l3KYqfXAGxoJdVt4UWKLcHLu0X9AAy1cBU2Kg4ra0
LT8QYF4D82Qua0h8fHp5Ow+wfxwCGD88jjrmtkD4B+V6NYMohVv7Hwv2kMmYOxCw
sYQF5TplLDGs6+QOULQU/aLNtiYWkms2cU6RK5UBRCcVvGNoGxa1PhzLu5v2PEnz
h1L0UrLRZSkRrSz/of5uGpGn7nTce6gIJeH0WCOoEaXFHqzB8yYd55wGmirqrw7c
u9oY/xOCC3s1IkkD/uFhNu57BYvQTxIBjJTOJkjt9582w5KxAKTAIHulHTFb4BkG
f51/wSuRugXvA2Tw5xSRcWzneJFR5UFFqY4r74iAAO/SkK5B9RmLhpvxzATv0Mw1
hizqUrMAwtHH+hM9lOGDX7dCUfQPvwkloC8MTHuQLpGrOD8T4bKmM36tpY0Pk6i+
qImr9zmlXs600Z8cq+Dv8dADl/rmNGyn520WZbGeriTPYuS1s+PHBTbq0PHnBCXK
em+xLoS6k6Bd5vYXukEY36pjB2Hl/NfBqqyZ6rwowRIi+t7kA2qHavJKioydVkCf
f1YsSldczSxNFX3IV6XKrArF1t+NO69hx9HxpYl4ctRv0TXE04+u9UYb+V5bH/XC
c1iw4n35jE5iXpPSrEt5VFJBVc0+WDi4X9oO+2dDomn5JlD2U2A=
=MvQp
-----END PGP SIGNATURE-----

Attachment: pgpBaYIXdeN4I.pgp
Description: PGP signature


--- End Message ---

Reply via email to