libvncserver (0.9.11+dfsg-1.3+deb10u4) buster; urgency=medium
* CVE-2019-20839: libvncclient: bail out if unix socket name would overflow.
* CVE-2020-14397: libvncserver: add missing NULL pointer checks.
* CVE-2020-14399: libvncclient: fix pointer aliasing/alignment issue.
* CVE-2020-14400: libvncserver: fix pointer aliasing/alignment issue.
* CVE-2020-14401: libvncserver: scale: cast to 64 bit before shifting.
* CVE-2020-14402, CVE-2020-14403, CVE-2020-14404: libvncserver: encodings:
prevent OOB accesses.
* CVE-2020-14405: libvncclient/rfbproto: limit max textchat size.
-- Mike Gabriel <sunweaver@debian.org> Fri, 28 Aug 2020 23:40:37 +0200
libvncserver (0.9.11+dfsg-1.3+deb10u3) buster; urgency=medium
[ Antoni Villalonga ]
* debian/patches:
+ Add CVE-2019-15690 patch. libvncclient/cursor: limit
width/height input values. Avoids a possible heap overflow reported
by Pavel Cheremushkin. (Closes: #954163).
-- Mike Gabriel <sunweaver@debian.org> Tue, 31 Mar 2020 07:05:57 +0200
libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
* Regression update.
* debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
#905786).
-- Mike Gabriel <sunweaver@debian.org> Wed, 08 Jan 2020 08:22:51 +0100
libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
* CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
#943793).
* debian/patches:
+ Trivial patch rebasing.
+ Add 3 use-after-free patches. Resolve a freeze during connection closure and a
segmentation fault on multi-threaded VNC servers. (Closes: #905786).
+ Add 0002-set-true-color-flag-to-1.patch. Fix connecting to VMware servers.
(Closes: #880531).
-- Mike Gabriel <sunweaver@debian.org> Tue, 03 Dec 2019 09:18:57 +0100
libvncserver (0.9.11+dfsg-1.3) unstable; urgency=medium
* Non-maintainer upload.
* LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748)
(Closes: #920941)
* LibVNCClient: ignore server-sent reason strings longer than 1MB
(CVE-2018-20748) (Closes: #920941)
* LibVNCClient: fail on server-sent desktop name lengths longer than 1MB
(CVE-2018-20748) (Closes: #920941)
* LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941)
* Error out in rfbProcessFileTransferReadBuffer if length can not be
allocated (CVE-2018-20749) (Closes: #920941)
* Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
(CVE-2018-20750) (Closes: #920941)
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 30 Jan 2019 22:39:15 +0100
libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high
* Non-maintainer upload.
* Fix multiple security vulnerabilities (Closes: #916941)
- Use-after-free in file transfer extension allows for potential
code execution (CVE-2018-15126)
- Heap out-of-bounds write in
rfbserver.c:rfbProcessFileTransferReadBuffer() allows for
potential code execution (CVE-2018-15127)
- Multiple heap out-of-bound writes in VNC client code
(CVE-2018-20019)
- Heap out-of-bound write inside structure in VNC client code allows
for potential code execution (CVE-2018-20020)
- Infinite loop in VNC client code allows for denial of service
(CVE-2018-20021)
- Improper initialization in VNC client code allows for information
disclosure (CVE-2018-20022)
- Improper initialization in VNC Repeater client code allows for
information disclosure (CVE-2018-20023)
- NULL pointer dereference in VNC client code allows for denial of
service (CVE-2018-20024)
- Use-after-free in file transfer extension server code allows for
potential code execution (CVE-2018-6307)
* Update symbols file for libvncserver1.
The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and
introduces new CloseUndoneFileDownload and CloseUndoneFileUpload.
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 02 Jan 2019 16:26:53 +0100
libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload.
* Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be
accessed by remote attackers because the msg.cct.length in rfbserver.c was
not sanitized. (Closes: #894045)
-- Markus Koschany <apo@debian.org> Tue, 05 Jun 2018 14:43:47 +0200
libvncserver (0.9.11+dfsg-1) unstable; urgency=high
* New upstream release, containing security fixes for
- CVE-2016-9941
- CVE-2016-9942
* Remove upstream applied patches
-- Peter Spiess-Knafl <dev@spiessknafl.at> Tue, 03 Jan 2017 11:50:27 +0100
libvncserver (0.9.10+dfsg-3) unstable; urgency=medium
* Avoid regeneration of rfbint.h and rfbconfig.h (Closes: #786822)
-- Peter Spiess-Knafl <dev@spiessknafl.at> Tue, 26 May 2015 00:12:15 +0200
libvncserver (0.9.10+dfsg-2) unstable; urgency=medium
* Changed maintainer email.
* Upload to unstable.
-- Peter Spiess-Knafl <dev@spiessknafl.at> Sun, 24 May 2015 10:22:09 +0200
libvncserver (0.9.10+dfsg-1) experimental; urgency=medium
* New Maintainer (Closes: #755299)
* New upstream version (Closes: #766335)
- Set opcode correctly for binary frames (Closes: #766257)
* Split out linuxvnc into new source package (vncterm)
* Removed upstream applied patches
* Bugfix in watchfile (Closes: #776162)
* Fix in short description (Closes: #758754)
* Replaced non-free sha1 implementations in common/sha1.*
* Added patch for libgcrypt init before use (Closes: #782570)
* Bump SONAME 0 -> 1
-- Peter Spiess-Knafl <psk@autistici.org> Fri, 30 Jan 2015 16:09:03 +0000
libvncserver (0.9.9+dfsg-6.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055:
Multiple issues in libVNCserver -- cherry picking targeted fixed from
upstream (Closes: #762745)
-- Tobias Frost <tobi@debian.org> Sun, 23 Nov 2014 16:19:53 +0100
libvncserver (0.9.9+dfsg-6) unstable; urgency=medium
[ Luca Falavigna ]
* debian/patches/pkgconfig.patch:
- Use Libs.private to avoid unnecessary linkage (Closes: #747539).
* debian/tests/*:
- Provide a simple test to check whether the package is functional
as per DEP8 (autopkgtests).
* debian/control:
- (Build-)depends on libgnutls28-dev and libgcrypt20-dev instead of
libgnutls-dev and libgcrypt11-dev (Closes: #753126).
- Point Homepage field to the new home page.
* debian/copyright:
- Point Source field to the new download location.
* debian/watch:
- Point to GitHub.
[ Gianfranco Costamagna ]
* Drop the libpng12-dev build conflict, relying instead on a better
--without-png configure flag
[ Matthias Klose ]
* debian/patches/ppc64el.patch
- Patch acinclude.m4 for ppc64el (Closes: #756809).
-- Luca Falavigna <dktrkranz@debian.org> Tue, 12 Aug 2014 16:02:26 +0200
libvncserver (0.9.9+dfsg-5) unstable; urgency=medium
* debian/patches/listenSock.patch:
- Cherry-pick patch from upstream to fix a segfault on listenSock
and listen6Sock, thanks to Shaddy Baddah (Closes: #746260).
* debian/control:
- Build-depends on libgcrypt11-dev, thanks to Andreas Metzler for
the bug report (Closes: #745954).
-- Luca Falavigna <dktrkranz@debian.org> Thu, 01 May 2014 10:20:21 +0200
libvncserver (0.9.9+dfsg-4) unstable; urgency=medium
* debian/copyright:
- Document missing copyright information (Closes: #734849).
-- Luca Falavigna <dktrkranz@debian.org> Mon, 20 Jan 2014 16:35:02 +0100
libvncserver (0.9.9+dfsg-3) unstable; urgency=medium
* Provide libvncclient in a separate binary package (Closes: #620322).
* debian/control:
- Drop obsolete Breaks/Replaces fields in libvncserver-config.
* debian/libvncclient0.symbols, debian/libvncserver0.symbols:
- Provide symbol files for both libraries.
* debian/libvncserver-config.docs:
- Install documentation in libvncserver-config.
-- Luca Falavigna <dktrkranz@debian.org> Thu, 09 Jan 2014 09:25:22 +0100
libvncserver (0.9.9+dfsg-2) unstable; urgency=medium
[ Luca Falavigna ]
* debian/patches/format_string.patch:
- Use format string argument in gtkvncviewer (Closes: #711805).
* debian/control:
- Add Build-Conflicts on libpng12-0 and libpng12-dev (Closes: #725480).
- Bump Standards-Version to 3.9.5.
- Use canonic URIs for the Vcs-* fields.
* debian/clean:
- Remove files created at build time.
* debian/rules:
- Enable verbose build log.
[ Prach Pongpanich ]
* debian/patches/multiarch.patch:
- Avoid regenerating header files at build time (Closes: #671790).
-- Luca Falavigna <dktrkranz@debian.org> Thu, 02 Jan 2014 12:17:18 +0100
libvncserver (0.9.9+dfsg-1) unstable; urgency=low
* New upstream release.
* Patches refreshed for the new upstream version.
* Multi-arch support (Closes: #664883).
* debian/patches/format_string.patch:
- Use format string argument with fprintf.
* debian/patches/02_linux_test.patch:
- Removed, applied upstream.
* debian/patches/04_rename_linuxvnc.patch:
- Removed, applied upstream.
* debian/patches/05_GnuTLS.patch:
- Removed, applied upstream.
* debian/compat:
- Bump compatibility level to 9.
* debian/control:
- Add libvncserver-config binary package, needed for Multi-arch.
- Bump Standards-Version to 3.9.3.
* debian/copyright:
- Convert to DEP5 format.
* debian/libvncserver-config.1:
- Fix hyphen-used-as-minus-sign lintian warning.
* debian/rules:
- Implement a get-orig-source target to get rid of webclients
directory, which contains Java classes without sources.
* debian/watch:
- Mangle "+dfsg" prefix from version number.
-- Luca Falavigna <dktrkranz@debian.org> Sat, 05 May 2012 23:45:15 +0200
libvncserver (0.9.8.2-2) unstable; urgency=low
* debian/*.1:
- Refresh man pages to consider new parameters (Closes: #518617).
* debian/libvncserver-dev.install:
- Install libvncserver.pc and libvncclient files (Closes: #649481).
-- Luca Falavigna <dktrkranz@debian.org> Thu, 08 Dec 2011 11:55:19 +0100
libvncserver (0.9.8.2-1) unstable; urgency=low
* New upstream bugfix release.
- Fix a regression in libvncclient with Apple Remote Desktop support
that prevented viewers to connect to ARD servers (Closes: #644455).
-- Luca Falavigna <dktrkranz@debian.org> Wed, 09 Nov 2011 23:31:28 +0100
libvncserver (0.9.8.1-1) unstable; urgency=low
* New upstream bugfix release.
- Fix ABI break (Closes: #644455).
* debian/compat:
- Bump compatibility to 8.
* debian/control:
- Adopting package.
- Add Vcs-* fields.
- Build-depend on dh-autoreconf instead of automake and libtool.
- Add libgnutls-dev to libvncserver-dev dependencies.
* debian/not-installed:
- Not needed, removed.
* debian/rules:
- Build with autoreconf support.
-- Luca Falavigna <dktrkranz@debian.org> Wed, 12 Oct 2011 19:59:26 +0200
libvncserver (0.9.8-2) unstable; urgency=low
* QA upload.
* debian/control:
- Build-depend on libgnutls-dev for GNUTLS support.
-- Luca Falavigna <dktrkranz@debian.org> Sun, 02 Oct 2011 14:27:56 +0200
libvncserver (0.9.8-1) unstable; urgency=low
* QA upload.
* New upstream release (Closes: #621705).
- Fix segfault launching "linuxvnc 1 -help" (Closes: #399501).
- Close socket when connection ends (Closes: #525226).
- Fix no input caused by stucked CTRL key (Closes: #555988).
* debian/patches/*:
- Refresh patches for new upstream release.
* debian/patches/05_GnuTLS.patch:
- Backport patch from upstream repository to drop deprecated GnuTLS
functions (gnutls_*_set_priority -> gnutls_priority_set_direct).
* debian/control:
- Build-depend on pkg-config.
- Remove duplicate section field for libvncserver0 binary.
- Bump Standards-Version to 3.9.2.
* debian/libvncserver-config.1:
- Use minus signs instead of hypens.
* debian/README.source:
- Dropped, no longer needed.
* debian/watch:
- Provide watch file.
-- Luca Falavigna <dktrkranz@debian.org> Sun, 02 Oct 2011 02:54:05 +0200
libvncserver (0.9.7-3) unstable; urgency=low
* QA upload
* Change (build-)depdendencies on libjpeg62-dev to libjpeg-dev
(closes: #629976).
* Migrate to source format 3.0 (quilt):
- add debian/source/format
- remove build-dependency on quilt
- debian/rules: drop --with-quilt from dh invocation
* debian/rules, clean target: also remove generated file _configs.sed
-- Ralf Treinen <treinen@debian.org> Fri, 10 Jun 2011 19:39:44 +0200
libvncserver (0.9.7-2) unstable; urgency=low
* QA upload.
* Don't build linuxvnc on non-linux architectures (Closes: #542592).
* Add a debian/README.source.
-- Aurelien Jarno <aurel32@debian.org> Sun, 30 Aug 2009 17:15:14 +0200
libvncserver (0.9.7-1) unstable; urgency=low
* QA upload.
* New upstream release (Closes: #529010):
- x11vnc is removed upstream from libvncserver sources.
Now, it is released separately.
* Added patches:
- 03_no_x11vnc_subdir.patch
Remove x11vnc remaining occurrences from the build system.
- 04_rename_linuxvnc.patch
Rename LinuxVNC to linuxvnc.
* Bumped debian/compat from 5 to 7.
* Updated debian/control:
- Cleanuped build dependencies.
- Switched to quilt patch system.
- Added Homepage field.
- Added libjpeg62-dev and zlib1g-dev dependencies to libvncserver-dev.
(Closes: #515029)
- Added priority extra and section debug to libvncserver0-dbg.
- Removed x11vnc package.
* Added debian/not-installed:
- *.la files are not installed anymore in libvncserver-dev.
* Switched debian/rules from cdbs to dh usage.
-- Fathi Boudra <fabo@debian.org> Fri, 07 Aug 2009 15:45:36 +0200
libvncserver (0.9.3.dfsg.1-2) unstable; urgency=low
* QA upload.
* Drop useless build-depends on linux-libc-dev.
-- Aurelien Jarno <aurel32@debian.org> Wed, 13 May 2009 20:11:07 +0200
libvncserver (0.9.3.dfsg.1-1) unstable; urgency=low
* QA upload.
* New upstream release. (Closes: #448942)
- CVS tag X11VNC_REL_0_9_3
* Switched rules to CDBS.
* Bumped compat to 5.
* Bumped Standards-Version to 3.7.2
* Enabled shared libraries. (Closes: #373298)
* Dropped vncommand, since it isn't installed by make install.
- All hate-mail should be sent to debian@pusling.com
* Added debug package.
* Removed the classes/ dir, there are no sources for the jar files.
- Appended .dfsg.1 to source version.
- Added patch 01_ignore_classes to allow building without classes/ dir.
* Added patch 02_linux_test to look for /usr/include/linux instead of /dev/vcsa
-- Matthew Rosewarne <mrosewarne@inoutbox.com> Mon, 05 Nov 2007 03:22:20 -0500
libvncserver (0.8.2-2) unstable; urgency=low
* Orphaning package
-- Ludovic Drolez <ldrolez@debian.org> Wed, 25 Apr 2007 12:00:32 +0200
libvncserver (0.8.2-1) unstable; urgency=high
* New upstream release. Closes: #373808
* This new release fixes a security bug which might be present in the
previous release of the package. Closes: #376824
* urgency=high because a probable security bug was fixed.
-- Ludovic Drolez <ldrolez@debian.org> Mon, 17 Jul 2006 20:43:38 +0200
libvncserver (0.7.1-5) unstable; urgency=high
* Re-upload with urgency=high because the package in testing is unusable
-- Ludovic Drolez <ldrolez@debian.org> Thu, 12 Jan 2006 15:30:00 +0100
libvncserver (0.7.1-4) unstable; urgency=low
* Put x11vnc 0.7.3 sources in their own directory. Closes: #333880
* Updated build-depends. Closes: #347019
-- Ludovic Drolez <ldrolez@debian.org> Mon, 9 Jan 2006 23:13:15 +0100
libvncserver (0.7.1-3) unstable; urgency=low
* Added x11vnc 0.7.3 sources. Closes: #328943
* Added the x11vnc FAQ which is in the README. Closes: #325479
* Added build dependencies on libxdamage-dev, libfixes-dev, libxrandr-dev
-- Ludovic Drolez <ldrolez@debian.org> Wed, 28 Sep 2005 19:00:05 +0200
libvncserver (0.7.1-2) unstable; urgency=low
* Removed the /dev/vcsa1 test to fix the pbuilder bug. Closes: #322643
* new vncommand package: allows you to attach a VNC server to any command
-- Ludovic Drolez <ldrolez@debian.org> Fri, 26 Aug 2005 18:02:16 +0200
libvncserver (0.7.1-1) unstable; urgency=low
* New upstream release. Closes: #309385
-- Ludovic Drolez <ldrolez@debian.org> Fri, 25 Mar 2005 20:48:38 +0100
libvncserver (0.7-1) unstable; urgency=low
* New upstream release
* New upstream x11vnc man page. Closes: Bug#277510
-- Ludovic Drolez <ldrolez@debian.org> Mon, 31 Jan 2005 23:06:17 +0100
libvncserver (0.6-3) unstable; urgency=low
* Added the latest x11vnc.c (0.6.1) which has the -scale option.
* Added the scale option in the manual.
-- Ludovic Drolez <ldrolez@debian.org> Fri, 16 Jul 2004 16:26:09 +0200
libvncserver (0.6-2) unstable; urgency=low
* Added the latest x11vnc.c from the CVS. Closes: Bug#246205
-- Ludovic Drolez <ldrolez@debian.org> Thu, 29 Apr 2004 22:09:53 +0200
libvncserver (0.6-1) unstable; urgency=low
* Initial Release.
* Integrated the last release of x11vnc.
-- Ludovic Drolez <ldrolez@debian.org> Wed, 10 Mar 2004 23:42:26 +0100