Headline
Ubuntu Security Notice USN-5965-1
Ubuntu Security Notice 5965-1 - It was discovered that TigerVNC mishandled TLS certificate exceptions. An attacker could use this vulnerability to impersonate any server after a client had added an exception and obtain sensitive information.
==========================================================================Ubuntu Security Notice USN-5965-1March 21, 2023tigervnc vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 ESMSummary:TigerVNC could be made to expose sensitive information over the network.Software Description:- tigervnc: High-performance, platform-neutral implementation of VNC Details:It was discovered that TigerVNC mishandled TLS certificate exceptions. Anattacker could use this vulnerability to impersonate any server after a clienthad added an exception and obtain sensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 ESM: tigervnc-common 1.10.1+dfsg-3ubuntu0.1+esm2 tigervnc-scraping-server 1.10.1+dfsg-3ubuntu0.1+esm2 tigervnc-standalone-server 1.10.1+dfsg-3ubuntu0.1+esm2In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-5965-1 CVE-2020-26117Related news
Gentoo Linux Security Advisory 202407-14
Gentoo Linux Security Advisory 202407-14 - Multiple vulnerabilities have been discovered in TigerVNC, the worst of which could lead to remote code execution. Versions greater than or equal to 1.12.0-r2 are affected.
CVE-2020-26117: Properly store certificate exceptions in Java viewer · TigerVNC/tigervnc@20dea80
In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.