Bug 78828

Summary: Upgrade to tightVNC 1.2.7 from 1.2.2
Product: [Retired] Red Hat Public Beta Reporter: Dax Kelson <dkelson>
Component: vncAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: phoebeCC: irc, mitr, mjc, rdieter, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-02-21 08:42:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
TightVNC 1.2.6 patch none

Description Dax Kelson 2002-12-01 18:36:07 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Current rawhide and 8.0 vnc has the vnc-3.3.3r2-unix-tight-1.2.2.patch.bz2 patch
being applied.

Please upgrade to the latest stable release of TightVNC 1.2.6.

Reasons for upgrading:

1. Fixed a repeated challenge replay attack
    vulnerability, bugtraq id 5296.

2. Fixed a problem in the I/O subsystem that was
    introduced in TightVNC 1.2.2 and was causing major slowdown in
    communication with clients

3.  Java viewer was GREATLY improved: the code was converted to Java
    1.1, painting techniques were re-designed completely

4.  Can use the system zlib.

Many others benefits....I've been custom patching my RH VNC rpms locally for
awhile with great results.

IMHO, the security hole mandates an upgrade if for no other reason.


Additional info:

The author doesn't distribute patches anymore (since 1.2.2) so I made a patch.

http://www.gurulabs.com/files/vnc-3.3.3r2-unix-tight-1.2.6.patch.bz2

You can get the new Java viewer binary from:

http://umn.dl.sourceforge.net/sourceforge/vnc-tight/tightvnc-1.2.6_javabin.tar.gz
Comment 1 Dax Kelson 2002-12-01 18:37:06 UTC 
Created attachment 86985 [details]
TightVNC 1.2.6 patch
Comment 2 Mark J. Cox 2002-12-02 09:59:30 UTC 
ref: http://marc.theaimsgroup.com/?l=vnc-list&m=103073945409801&w=2
ref: http://www.securityfocus.com/bid/5296 
cve: no-match
Comment 3 Mark J. Cox 2002-12-09 13:06:34 UTC 
This is now CAN-2002-1336
Comment 4 Dax Kelson 2002-12-29 03:19:31 UTC 
TightVNC 1.2.7 is out now
Comment 5 Dax Kelson 2002-12-29 03:21:48 UTC 
1.2.7 changes:

- Unix and Win32 versions, Java viewer: The most significant problem
    with local cursor handling has been solved -- now clients can see
    remote cursor movements performed on the server or by another
    client. New PointerPos encoding and cursor shape updates both
    minimize bandwidth requirements and greatly improve responsiveness
    of the mouse pointer, while still allow to track correct pointer
    position in all situations.

  - Unix and Win32 versions: In all the places where display numbers
    had to be used, now it's easy to use port numbers as well. The
    viewers now allow to use new "hostname::port" syntax, in addition
    to the traditional "hostname:display" format. The same new syntax
    can be used in the "Add new client" dialog of Win32 server. In the
    server, now it's equally easy to set display and port numbers. 
    Besides that, HTTP and RFB port numbers can be set individually.

  - Unix and Win32 versions: In servers, decreased JPEG quality
    factors for low quality levels. This improves bandwidth usage
    while the image quality remains satisfactory in most cases. In
    clients, JPEG compression is now enabled by default, because
    usually it's a reasonable choice. To prevent viewers from
    requesting JPEG compression, new -nojpeg option can be used.

  - Unix version: Bugfix for Xvnc's -localhost and -interface options
    that were broken on many systems, thanks to Luke Mewburn for the
    bugfix. Xvnc -version command-line option is now supported.

  - Tight encoding is now documented in rfbproto.h files within source
    archives.

  - Java viewer: Implemented new buttons "Login again" and "Close
    window" near the disconnect or error messages in the applet mode,
    and introduced new "Offer Relogin" parameter to control this
    improvement. Thanks to Peter Astrand for the initial version of
    the "Login again" patch.

  - Java viewer: Support for connections via HTTP proxies using HTTP
    CONNECT method. This will not work in the applet mode, due to Java
    security restrictions.

  - Java viewer: Extra .vnc files have been removed, having just
    index.vnc should be enough. Also, an example HTML page has been
    prepared, to simplify installation under a standalone Web server.

  - Java viewer: Added a MANIFEST to the JAR archive, to allow easy
    execution of the JAR file, using java -jar command-line option.

  - Other minor improvements and bugfixes.
Comment 6 Rex Dieter 2003-01-15 16:45:35 UTC 
Or consider upgrading to (real)vnc-3.3.6.  (-: 
http://www.realvnc.org/.
Comment 7 Mark J. Cox 2003-01-16 15:50:37 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-287.html
Comment 8 Mark J. Cox 2003-01-16 15:56:00 UTC 
reopening since the erratum was for Advanced Server.  The Red Hat Linux variant
is on its way soon.
Comment 9 Mark J. Cox 2003-02-21 08:42:34 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-041.html