[Secure-testing-team] Re: Version 4.1.2
Martin Koegler
mkoegler at auto.tuwien.ac.at
Mon May 15 22:26:03 UTC 2006
On Mon, May 15, 2006 at 08:58:22PM +0200, Ola Lundqvist wrote:
> I'm now building a new vnc package with your (Martins) patch.
> Thanks a lot for the help.
>
> For testing security team:
> Read more about the issue on
> http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
> http://it.slashdot.org/article.pl?sid=06/05/11/2344217&from=rss
> http://www.freerepublic.com/focus/f-news/1630902/posts
> http://www.securityfocus.com/archive/1/433994/30/0/threaded
>
> The version will soon exist in unstable as vnc4_4.1.1+X4.3.0-10
>
> I do not really suspect problem with the merge from unstable to testing
> but I want you to be informed anyway.
The source for 4.1.2 is now available:
http://www.realvnc.com/pipermail/vnc-list/2006-May/054936.html
The main difference to my patch is, that they use
if (i == secTypes.end())
to check for an invalid security type. I use
if (*i != secType)
mfg Martin Kögler
More information about the Secure-testing-team
mailing list