[Full-Disclosure] GLSA: vnc (200302-16)

• Previous message: Daniel Ahlberg: "[Full-Disclosure] GLSA: apcupsd (200302-13)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Daniel Ahlberg <aliz@gentoo.org>
To: full-disclosure@lists.netsys.com
Date: Mon, 24 Feb 2003 12:35:16 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-16
- - ---------------------------------------------------------------------

          PACKAGE : vnc
          SUMMARY : insecure cookie generation
             DATE : 2003-02-24 11:35 UTC
          EXPLOIT : remote
VERSIONS AFFECTED : <3.3.6-r1
    FIXED VERSION : 3.3.6-r1

- - ---------------------------------------------------------------------

- From Red Hat Security Advisory RHSA-2003:041-12:

"The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie."

Read the full advisory at:
https://rhn.redhat.com/errata/RHSA-2003-041.html

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/vnc upgrade to vnc-3.3.6-r1 as follows:

emerge sync
emerge -u vnc
emerge clean

- - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+WgNxfT7nyhUpoZMRAjgdAKCkBB7XPF4iXhpPvHW9YQ0lTrTKIACeLKjx
wcygjjWoyxpABWAfLk4BX1A=
=HPqI
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Next message: Daniel Ahlberg: "[Full-Disclosure] GLSA: tightvnc (200302-15)"
• Previous message: Daniel Ahlberg: "[Full-Disclosure] GLSA: apcupsd (200302-13)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] GLSA: tightvnc (200302-15) ... "The VNC server acts as an X server, but the script for starting it ... attacker to be able to more easily guess the authentication cookie." ... It is recommended that all Gentoo Linux users who are running ... emerge -u tightvnc ... (Full-Disclosure) GLSA: tightvnc (200302-15) ... "The VNC server acts as an X server, but the script for starting it ... attacker to be able to more easily guess the authentication cookie." ... It is recommended that all Gentoo Linux users who are running ... emerge -u tightvnc ... (Bugtraq) GLSA: vnc (200302-16) ... "The VNC server acts as an X server, but the script for starting it ... attacker to be able to more easily guess the authentication cookie." ... It is recommended that all Gentoo Linux users who are running ... emerge -u vnc ... (Bugtraq) [Full-Disclosure] GLSA: krb5 ... A stack buffer overflow in the implementation of the Kerberos v4 ... The attacker does not need to authenticate to the daemon to ... It is recommended that all Gentoo Linux users who are running ... emerge rsync ... (Full-Disclosure) [Full-Disclosure] GLSA: man (200303-13) ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge sync ... (Full-Disclosure)