Vulnerability CVE-2020-26117: Information
Description
In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| tigervnc | sisyphus | 1.10.1-alt4 | 1.13.1-alt2 | ALT-PU-2020-3339-1 | 261954 | Fixed |
| tigervnc | sisyphus_e2k | 1.11.0-alt1 | 1.13.1-alt2 | ALT-PU-2022-3491-1 | - | Fixed |
| tigervnc | p10 | 1.10.1-alt4 | 1.10.1-alt5 | ALT-PU-2020-3339-1 | 261954 | Fixed |
| tigervnc | p9 | 1.10.1-alt5 | 1.10.1-alt5 | ALT-PU-2021-1185-1 | 265009 | Fixed |
| tigervnc | c10f1 | 1.13.1-alt2 | 1.13.1-alt2 | ALT-PU-2024-3843-3 | 342557 | Fixed |
| tigervnc | c9f2 | 1.13.1-alt2 | 1.13.1-alt2 | ALT-PU-2024-1936-3 | 340033 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb |
|
| https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba |
|
| https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0 |
|
| https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e |
|
| https://bugzilla.opensuse.org/show_bug.cgi?id=1176733 |
|
| https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b |
|
| [debian-lts-announce] 20201006 [SECURITY] [DLA 2396-1] tigervnc security update |
|
| openSUSE-SU-2020:1666 |
|
| openSUSE-SU-2020:1841 |
|