Bug 78828 - Upgrade to tightVNC 1.2.7 from 1.2.2
Upgrade to tightVNC 1.2.7 from 1.2.2
Status: CLOSED ERRATA
Product: Red Hat Public Beta
Classification: Retired
Component: vnc (Show other bugs)
phoebe
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-01 13:36 EST by Dax Kelson
Modified: 2007-04-18 12:48 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-21 03:42:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
TightVNC 1.2.6 patch (130.94 KB, application/octet-stream)
2002-12-01 13:37 EST, Dax Kelson
no flags Details

  None (edit)
Description Dax Kelson 2002-12-01 13:36:07 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Current rawhide and 8.0 vnc has the vnc-3.3.3r2-unix-tight-1.2.2.patch.bz2 patch
being applied.

Please upgrade to the latest stable release of TightVNC 1.2.6.

Reasons for upgrading:

1. Fixed a repeated challenge replay attack
    vulnerability, bugtraq id 5296.

2. Fixed a problem in the I/O subsystem that was
    introduced in TightVNC 1.2.2 and was causing major slowdown in
    communication with clients

3.  Java viewer was GREATLY improved: the code was converted to Java
    1.1, painting techniques were re-designed completely

4.  Can use the system zlib.

Many others benefits....I've been custom patching my RH VNC rpms locally for
awhile with great results.

IMHO, the security hole mandates an upgrade if for no other reason.


Additional info:

The author doesn't distribute patches anymore (since 1.2.2) so I made a patch.

http://www.gurulabs.com/files/vnc-3.3.3r2-unix-tight-1.2.6.patch.bz2

You can get the new Java viewer binary from:

http://umn.dl.sourceforge.net/sourceforge/vnc-tight/tightvnc-1.2.6_javabin.tar.gz
Comment 1 Dax Kelson 2002-12-01 13:37:06 EST
Created attachment 86985 [details]
TightVNC 1.2.6 patch
Comment 2 Mark J. Cox (Product Security) 2002-12-02 04:59:30 EST
ref: http://marc.theaimsgroup.com/?l=vnc-list&m=103073945409801&w=2
ref: http://www.securityfocus.com/bid/5296 
cve: no-match
Comment 3 Mark J. Cox (Product Security) 2002-12-09 08:06:34 EST
This is now CAN-2002-1336
Comment 4 Dax Kelson 2002-12-28 22:19:31 EST
TightVNC 1.2.7 is out now
Comment 5 Dax Kelson 2002-12-28 22:21:48 EST
1.2.7 changes:

- Unix and Win32 versions, Java viewer: The most significant problem
    with local cursor handling has been solved -- now clients can see
    remote cursor movements performed on the server or by another
    client. New PointerPos encoding and cursor shape updates both
    minimize bandwidth requirements and greatly improve responsiveness
    of the mouse pointer, while still allow to track correct pointer
    position in all situations.

  - Unix and Win32 versions: In all the places where display numbers
    had to be used, now it's easy to use port numbers as well. The
    viewers now allow to use new "hostname::port" syntax, in addition
    to the traditional "hostname:display" format. The same new syntax
    can be used in the "Add new client" dialog of Win32 server. In the
    server, now it's equally easy to set display and port numbers. 
    Besides that, HTTP and RFB port numbers can be set individually.

  - Unix and Win32 versions: In servers, decreased JPEG quality
    factors for low quality levels. This improves bandwidth usage
    while the image quality remains satisfactory in most cases. In
    clients, JPEG compression is now enabled by default, because
    usually it's a reasonable choice. To prevent viewers from
    requesting JPEG compression, new -nojpeg option can be used.

  - Unix version: Bugfix for Xvnc's -localhost and -interface options
    that were broken on many systems, thanks to Luke Mewburn for the
    bugfix. Xvnc -version command-line option is now supported.

  - Tight encoding is now documented in rfbproto.h files within source
    archives.

  - Java viewer: Implemented new buttons "Login again" and "Close
    window" near the disconnect or error messages in the applet mode,
    and introduced new "Offer Relogin" parameter to control this
    improvement. Thanks to Peter Astrand for the initial version of
    the "Login again" patch.

  - Java viewer: Support for connections via HTTP proxies using HTTP
    CONNECT method. This will not work in the applet mode, due to Java
    security restrictions.

  - Java viewer: Extra .vnc files have been removed, having just
    index.vnc should be enough. Also, an example HTML page has been
    prepared, to simplify installation under a standalone Web server.

  - Java viewer: Added a MANIFEST to the JAR archive, to allow easy
    execution of the JAR file, using java -jar command-line option.

  - Other minor improvements and bugfixes.
Comment 6 Rex Dieter 2003-01-15 11:45:35 EST
Or consider upgrading to (real)vnc-3.3.6.  (-: 
http://www.realvnc.org/.  
Comment 7 Mark J. Cox (Product Security) 2003-01-16 10:50:37 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-287.html
Comment 8 Mark J. Cox (Product Security) 2003-01-16 10:56:00 EST
reopening since the erratum was for Advanced Server.  The Red Hat Linux variant
is on its way soon.
Comment 9 Mark J. Cox (Product Security) 2003-02-21 03:42:34 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-041.html

Note You need to log in before you can comment on or make changes to this bug.