1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202411-01 ] Neat VNC: Authentication Bypass

    From glsamaker@gentoo.org@21:1/5 to All on Wed Nov 6 11:10:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202411-01
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: Neat VNC: Authentication Bypass
    Date: November 06, 2024
    Bugs: #937140
    ID: 202411-01

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Neat VNC, which can lead to authentication bypass.

    Background
    ==========

    Neat VNC is a liberally licensed VNC server library that's intended to
    be fast and neat.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ---------------- ------------ ------------
    gui-libs/neatvnc < 0.8.1 >= 0.8.1

    Description
    ===========

    Neat VNC allows remote attackers to bypass authentication via a request
    in which the client specifies an insecure security type such as "Type 1
    - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.

    Impact
    ======

    A remote attacker can opt not to use any authentication method and
    access the VNC server.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Neat VNC users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=gui-libs/neatvnc-0.8.1"

    References
    ==========


    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202411-01

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmcrP20ACgkQFMQkOaVy +9mzQA/8Dp5QO4QKxsuxRQ0MWDtr+bBlJzBW85cshfRYrsLzxzo6Ogkc/rnBVdTI 71YsIZcFZ/jjJlonmzeaeGsV/1C9AsIN9UdkV7zQilshUV+NicSWJJ6bZiTKrZdG gmrnNur2z/X7YGWqcBhH27zfDLe4H3LGpWw5ZCUEchJj8hxLXnuiR//h7Rd0oF65 M/mDSe8hCOteFrmk5xcoeNB3yTGI6hqVRoeSe1vw4+05Zwse2Maqd3CFjuMm72ur fePzAPlyvyV0CUkge7ZKzc+c4qwH7RFWhthigljTNlqeul+30iytLcuc7E/YFGEH Shiaqe90m+qrqeFKCeXyFCHnjsQNihk2OdIemVS2coBY8jGirwoZGJUJ+mjP+H4E nfW+0msQneDKy1Y2I1GQP+DoWFeRomOMDxPFEAVloP0m5/YJGzQdr0k+VH3LY4vA dTIYohqj9SpVXYYGfDyOHjhZM0aGtT3VdVoBuj5C2K1b47/y8SYzDTL+1fUJnlRi dnZ2AJOPJ4WVzcUK063aUR6uSodSG11zn5gr9O+LUnYbZdSo2MgaG31OtfcJxlWy Ivr3wzHdgzDopNsdnuUR2VyJGZsqHyetLOGQcRDtVb/oD8fQdtf8CkGs6TjgS5M1 JVR30gciDr3x8wWwI+nRrsBKQw9XzMFI6ueYCUMzUlbMsKnn38o=
    =xHE0
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)