lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20060607130747.42jqwd7tjd444wgc@www.dynet.com.mx>
Date: Wed, 07 Jun 2006 13:07:47 -0500
From: Jose Ramirez <jose.ramirez@...et.com.mx>
To: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise


This is a problem for version 4.1.1 only, so if you have earlier versions you
must not worry about it.
http://isc.sans.org/diary.php?storyid=1331

Jose Ramirez



Quoting Ray Van Dolson <rayvd@...italpath.net>:

> On Mon, Jun 05, 2006 at 05:33:29PM -0600, Kurt Seifried wrote:
>> >How is it that even though this vulnerability has been known now for
>> >some time, Red Hat still has not issued a new package or security update
>> >that addresses this?  On RHN, the most recent package I can find is
>> >4.0.0 beta and the most recent security patch for VNC dates back to
>> >December 2004.  Since Red Hat started distributing the package, why has
>> >it not been kept up with?
>>
>> Probably because customers are not bugging them to much for it?  I've never
>> used vnc-server on Linux or seen it used to be honest, and although it is a
>> nasty problem it's easy to deal with (just firewall it to trusted systems
>> or wrap a VPN around it). They are obviously aware of this issue (it was
>> fixed in Fedora Core 5, reported by Mark J. Cox).
>>
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191692
>>
>
> That bugzilla report makes it sound like RHEL versions of VNC are
> unaffected?
>
> "I've verified that by altering a client in this way you are able to bypass
> password authentication in vnc 4.1.1 but not in earlier versions as shipped
> in Red Hat Enterprise Linux (their server connection souce code is
> different)."
>
> Ray
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ