Is this still a vunerability in Fiesty?
Shouldn't Fiesty merge to the upstream version 4.1.2 which doesn't have
the problem? Its very confusing to tell if vunerable or not if fixes are
backported, but the version number is still based at the known broken
4.1.1.
--
vnc4 authentication bypass
** Changed in: vnc4 (Ubuntu Edgy)
Status: Fix Committed = Fix Released
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
This update seemed to have break vnc4server in Edgy, see bug #78282. It
was working with version:
vnc4 4.1.1+xorg1.0.2-0ubuntu1
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
That is true, unfortunately. Not a use-case I tested, as I didn't expect
an Edgy build to cause a /etc/X11/Xsession running with DISPLAY set to
an Xvnc server to cause the process executing it to terminate, when
running an xterm and the like on the Xvnc server ran fine. A rather odd
problem, this
** Changed in: vnc4 (Ubuntu Dapper)
Status: Fix Committed = Fix Released
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Great! Thanks for tracking down that sneaky bit.
Since the sparc FTBFS happened on the security buildd's, I needed to
bump the version for the edgy-security debdiff. I'll upload that and
get it building again. (I changed the edgy debdiff version to
vnc4_4.1.1+xorg1.0.2-0ubuntu1.6.10.1)
I went
I've backported the appropriate patch from 4.1.2 to the versions in
Dapper and Edgy (which happen to be the same).
** Changed in: vnc4 (Ubuntu Dapper)
Status: Unconfirmed = In Progress
** Changed in: vnc4 (Ubuntu Edgy)
Status: Unconfirmed = In Progress
** Attachment added: debdiff
** Attachment added: debdiff for Dapper
http://librarian.launchpad.net/5600272/dapper.diff
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
I note that this vulnerability was released over 7 months ago now... It
was reported (in bug 50913) a little over a month after it was
discovered, and pitti posted a comment mentioning that a MOTU could take
care of it if they wanted. Unfortunately, there's no proper universe
security process, so
Hmm... an additional problem with vnc4 is that it doesn't build on edgy
(or feisty), it seems. Were you able to build and test your debdiff on
edgy? Perhaps the best approach would be to fix the build in feisty
first, and then figure out what's needed to make it build edgy from
there:
Looks great! Go ahead and upload a version to feisty, since your fix
should work there as well.
** Changed in: vnc4 (Ubuntu)
Status: Unconfirmed = Fix Committed
** Changed in: vnc4 (Ubuntu Dapper)
Status: In Progress = Fix Committed
** Changed in: vnc4 (Ubuntu Edgy)
mesa-swrast-source seems to have been replaced by mesa-swx11-source, so
I've updated the Build-Depends. Also killing the build were a few
bashisms in debian/rules. I've fixed them, and tested it (I made the
mistake of thinking that if the changes worked in Dapper, they'd work in
Edgy too; of
Fix uploaded to Feisty.
** Changed in: vnc4 (Ubuntu)
Status: Fix Committed = Fix Released
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
The sparc version FTBFSed on Edgy and Feisty, due to a removed header
being included in the included Xorg. Here's a debdiff which should fix
the issue.
** Attachment added: fixed debdiff for edgy-security
http://librarian.launchpad.net/5609943/edgy.diff
--
vnc4 authentication bypass
cve: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2369
debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395809
** Changed in: vnc4 (Ubuntu)
Importance: Undecided = Critical
** This bug has been flagged as a security issue
--
vnc4 authentication bypass
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-2369
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Thanks for this report! If anyone has time to package up a debdiff for
Dapper and Edgy, I would be happy to review and publish the USN.
** Bug watch added: Debian Bug tracker #395809
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395809
** Also affects: vnc4 (Debian) via
** Changed in: vnc4 (Debian)
Status: Unknown = Fix Released
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
** Changed in: vnc4 (Ubuntu Edgy)
Importance: Undecided = Critical
** Changed in: vnc4 (Ubuntu Dapper)
Importance: Undecided = Critical
--
vnc4 authentication bypass
https://launchpad.net/bugs/77383
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
19 matches
Mail list logo
