From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B6985158042 for ; Wed, 6 Nov 2024 10:07:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5EF93E0884; Wed, 6 Nov 2024 10:06:27 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2CFAEE0824 for ; Wed, 6 Nov 2024 10:05:34 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.178]) by smtp.gentoo.org (Postfix) with ESMTP id 7D9B4340C15 for ; Wed, 6 Nov 2024 10:05:33 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 67FDBC76B4 for ; Wed, 6 Nov 2024 10:05:33 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202411-01 ] Neat VNC: Authentication Bypass Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============2050083577293894142==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Wed, 06 Nov 2024 10:05:33 -0000 Message-ID: <173088753340.7.16882186571510904109@3f85d36892cf> X-Archives-Salt: 8675f93e-292b-4eab-a0c8-8e5fbb54bd5a X-Archives-Hash: 11751941099a1ecc1a44858051060bbd --===============2050083577293894142== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202411-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Neat VNC: Authentication Bypass Date: November 06, 2024 Bugs: #937140 ID: 202411-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Neat VNC, which can lead to authentication bypass. Background ========== Neat VNC is a liberally licensed VNC server library that's intended to be fast and neat. Affected packages ================= Package Vulnerable Unaffected ---------------- ------------ ------------ gui-libs/neatvnc < 0.8.1 >= 0.8.1 Description =========== Neat VNC allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password. Impact ====== A remote attacker can opt not to use any authentication method and access the VNC server. Workaround ========== There is no known workaround at this time. Resolution ========== All Neat VNC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=gui-libs/neatvnc-0.8.1" References ========== Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202411-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============2050083577293894142== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmcrP20ACgkQFMQkOaVy +9mzQA/8Dp5QO4QKxsuxRQ0MWDtr+bBlJzBW85cshfRYrsLzxzo6Ogkc/rnBVdTI 71YsIZcFZ/jjJlonmzeaeGsV/1C9AsIN9UdkV7zQilshUV+NicSWJJ6bZiTKrZdG gmrnNur2z/X7YGWqcBhH27zfDLe4H3LGpWw5ZCUEchJj8hxLXnuiR//h7Rd0oF65 M/mDSe8hCOteFrmk5xcoeNB3yTGI6hqVRoeSe1vw4+05Zwse2Maqd3CFjuMm72ur fePzAPlyvyV0CUkge7ZKzc+c4qwH7RFWhthigljTNlqeul+30iytLcuc7E/YFGEH Shiaqe90m+qrqeFKCeXyFCHnjsQNihk2OdIemVS2coBY8jGirwoZGJUJ+mjP+H4E nfW+0msQneDKy1Y2I1GQP+DoWFeRomOMDxPFEAVloP0m5/YJGzQdr0k+VH3LY4vA dTIYohqj9SpVXYYGfDyOHjhZM0aGtT3VdVoBuj5C2K1b47/y8SYzDTL+1fUJnlRi dnZ2AJOPJ4WVzcUK063aUR6uSodSG11zn5gr9O+LUnYbZdSo2MgaG31OtfcJxlWy Ivr3wzHdgzDopNsdnuUR2VyJGZsqHyetLOGQcRDtVb/oD8fQdtf8CkGs6TjgS5M1 JVR30gciDr3x8wWwI+nRrsBKQw9XzMFI6ueYCUMzUlbMsKnn38o= =xHE0 -----END PGP SIGNATURE----- --===============2050083577293894142==--