Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: tightvnc (200302-15)
Date: Tue, 25 Feb 2003 10:26:27
Message-Id: 20030224113632.ADFFF33B63@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200302-15
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : tightvnc
9 SUMMARY : insecure cookie generation
10 DATE : 2003-02-24 11:34 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <1.2.8
13 FIXED VERSION : 1.2.8
14
15 - - ---------------------------------------------------------------------
16
17 - From Red Hat Security Advisory RHSA-2003:041-12:
18
19 "The VNC server acts as an X server, but the script for starting it
20 generates an MIT X cookie (which is used for X authentication) without
21 using a strong enough random number generator. This could allow an
22 attacker to be able to more easily guess the authentication cookie."
23
24 Read the full advisory at:
25 https://rhn.redhat.com/errata/RHSA-2003-041.html
26
27 SOLUTION
28
29 It is recommended that all Gentoo Linux users who are running
30 net-misc/tightvnc upgrade to tightvnc-1.2.8 as follows:
31
32 emerge sync
33 emerge -u tightvnc
34 emerge clean
35
36 - - ---------------------------------------------------------------------
37 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
38 - - ---------------------------------------------------------------------
39 -----BEGIN PGP SIGNATURE-----
40 Version: GnuPG v1.2.1 (GNU/Linux)
41
42 iD8DBQE+WgMufT7nyhUpoZMRAiKmAJ4qnkKGdjD3mizWhjUmWTcXrM0aqACeOp45
43 r+jWLJSEsOaSmhXb73IYMPc=
44 =Rml2
45 -----END PGP SIGNATURE-----