libvncserver (0.9.11+dfsg-1.3+deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-29260 memory leak in function rfbClientCleanup() * CVE-2020-25708 fix for a divide by zero which could result in DoS -- Thorsten Alteholz Mon, 26 Sep 2022 22:03:02 +0200 libvncserver (0.9.11+dfsg-1.3+deb10u4) buster; urgency=medium * CVE-2019-20839: libvncclient: bail out if unix socket name would overflow. * CVE-2020-14397: libvncserver: add missing NULL pointer checks. * CVE-2020-14399: libvncclient: fix pointer aliasing/alignment issue. * CVE-2020-14400: libvncserver: fix pointer aliasing/alignment issue. * CVE-2020-14401: libvncserver: scale: cast to 64 bit before shifting. * CVE-2020-14402, CVE-2020-14403, CVE-2020-14404: libvncserver: encodings: prevent OOB accesses. * CVE-2020-14405: libvncclient/rfbproto: limit max textchat size. -- Mike Gabriel Fri, 28 Aug 2020 23:40:37 +0200 libvncserver (0.9.11+dfsg-1.3+deb10u3) buster; urgency=medium [ Antoni Villalonga ] * debian/patches: + Add CVE-2019-15690 patch. libvncclient/cursor: limit width/height input values. Avoids a possible heap overflow reported by Pavel Cheremushkin. (Closes: #954163). -- Mike Gabriel Tue, 31 Mar 2020 07:05:57 +0200 libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium * Regression update. * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes: #905786). -- Mike Gabriel Wed, 08 Jan 2020 08:22:51 +0100 libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes: #943793). * debian/patches: + Trivial patch rebasing. + Add 3 use-after-free patches. Resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers. (Closes: #905786). + Add 0002-set-true-color-flag-to-1.patch. Fix connecting to VMware servers. (Closes: #880531). -- Mike Gabriel Tue, 03 Dec 2019 09:18:57 +0100 libvncserver (0.9.11+dfsg-1.3) unstable; urgency=medium * Non-maintainer upload. * LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748) (Closes: #920941) * LibVNCClient: ignore server-sent reason strings longer than 1MB (CVE-2018-20748) (Closes: #920941) * LibVNCClient: fail on server-sent desktop name lengths longer than 1MB (CVE-2018-20748) (Closes: #920941) * LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941) * Error out in rfbProcessFileTransferReadBuffer if length can not be allocated (CVE-2018-20749) (Closes: #920941) * Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() (CVE-2018-20750) (Closes: #920941) -- Salvatore Bonaccorso Wed, 30 Jan 2019 22:39:15 +0100 libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high * Non-maintainer upload. * Fix multiple security vulnerabilities (Closes: #916941) - Use-after-free in file transfer extension allows for potential code execution (CVE-2018-15126) - Heap out-of-bounds write in rfbserver.c:rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - Multiple heap out-of-bound writes in VNC client code (CVE-2018-20019) - Heap out-of-bound write inside structure in VNC client code allows for potential code execution (CVE-2018-20020) - Infinite loop in VNC client code allows for denial of service (CVE-2018-20021) - Improper initialization in VNC client code allows for information disclosure (CVE-2018-20022) - Improper initialization in VNC Repeater client code allows for information disclosure (CVE-2018-20023) - NULL pointer dereference in VNC client code allows for denial of service (CVE-2018-20024) - Use-after-free in file transfer extension server code allows for potential code execution (CVE-2018-6307) * Update symbols file for libvncserver1. The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. -- Salvatore Bonaccorso Wed, 02 Jan 2019 16:26:53 +0100 libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) -- Markus Koschany Tue, 05 Jun 2018 14:43:47 +0200 libvncserver (0.9.11+dfsg-1) unstable; urgency=high * New upstream release, containing security fixes for - CVE-2016-9941 - CVE-2016-9942 * Remove upstream applied patches -- Peter Spiess-Knafl Tue, 03 Jan 2017 11:50:27 +0100 libvncserver (0.9.10+dfsg-3) unstable; urgency=medium * Avoid regeneration of rfbint.h and rfbconfig.h (Closes: #786822) -- Peter Spiess-Knafl Tue, 26 May 2015 00:12:15 +0200 libvncserver (0.9.10+dfsg-2) unstable; urgency=medium * Changed maintainer email. * Upload to unstable. -- Peter Spiess-Knafl Sun, 24 May 2015 10:22:09 +0200 libvncserver (0.9.10+dfsg-1) experimental; urgency=medium * New Maintainer (Closes: #755299) * New upstream version (Closes: #766335) - Set opcode correctly for binary frames (Closes: #766257) * Split out linuxvnc into new source package (vncterm) * Removed upstream applied patches * Bugfix in watchfile (Closes: #776162) * Fix in short description (Closes: #758754) * Replaced non-free sha1 implementations in common/sha1.* * Added patch for libgcrypt init before use (Closes: #782570) * Bump SONAME 0 -> 1 -- Peter Spiess-Knafl Fri, 30 Jan 2015 16:09:03 +0000 libvncserver (0.9.9+dfsg-6.1) unstable; urgency=medium * Non-maintainer upload. * CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055: Multiple issues in libVNCserver -- cherry picking targeted fixed from upstream (Closes: #762745) -- Tobias Frost Sun, 23 Nov 2014 16:19:53 +0100 libvncserver (0.9.9+dfsg-6) unstable; urgency=medium [ Luca Falavigna ] * debian/patches/pkgconfig.patch: - Use Libs.private to avoid unnecessary linkage (Closes: #747539). * debian/tests/*: - Provide a simple test to check whether the package is functional as per DEP8 (autopkgtests). * debian/control: - (Build-)depends on libgnutls28-dev and libgcrypt20-dev instead of libgnutls-dev and libgcrypt11-dev (Closes: #753126). - Point Homepage field to the new home page. * debian/copyright: - Point Source field to the new download location. * debian/watch: - Point to GitHub. [ Gianfranco Costamagna ] * Drop the libpng12-dev build conflict, relying instead on a better --without-png configure flag [ Matthias Klose ] * debian/patches/ppc64el.patch - Patch acinclude.m4 for ppc64el (Closes: #756809). -- Luca Falavigna Tue, 12 Aug 2014 16:02:26 +0200 libvncserver (0.9.9+dfsg-5) unstable; urgency=medium * debian/patches/listenSock.patch: - Cherry-pick patch from upstream to fix a segfault on listenSock and listen6Sock, thanks to Shaddy Baddah (Closes: #746260). * debian/control: - Build-depends on libgcrypt11-dev, thanks to Andreas Metzler for the bug report (Closes: #745954). -- Luca Falavigna Thu, 01 May 2014 10:20:21 +0200 libvncserver (0.9.9+dfsg-4) unstable; urgency=medium * debian/copyright: - Document missing copyright information (Closes: #734849). -- Luca Falavigna Mon, 20 Jan 2014 16:35:02 +0100 libvncserver (0.9.9+dfsg-3) unstable; urgency=medium * Provide libvncclient in a separate binary package (Closes: #620322). * debian/control: - Drop obsolete Breaks/Replaces fields in libvncserver-config. * debian/libvncclient0.symbols, debian/libvncserver0.symbols: - Provide symbol files for both libraries. * debian/libvncserver-config.docs: - Install documentation in libvncserver-config. -- Luca Falavigna Thu, 09 Jan 2014 09:25:22 +0100 libvncserver (0.9.9+dfsg-2) unstable; urgency=medium [ Luca Falavigna ] * debian/patches/format_string.patch: - Use format string argument in gtkvncviewer (Closes: #711805). * debian/control: - Add Build-Conflicts on libpng12-0 and libpng12-dev (Closes: #725480). - Bump Standards-Version to 3.9.5. - Use canonic URIs for the Vcs-* fields. * debian/clean: - Remove files created at build time. * debian/rules: - Enable verbose build log. [ Prach Pongpanich ] * debian/patches/multiarch.patch: - Avoid regenerating header files at build time (Closes: #671790). -- Luca Falavigna Thu, 02 Jan 2014 12:17:18 +0100 libvncserver (0.9.9+dfsg-1) unstable; urgency=low * New upstream release. * Patches refreshed for the new upstream version. * Multi-arch support (Closes: #664883). * debian/patches/format_string.patch: - Use format string argument with fprintf. * debian/patches/02_linux_test.patch: - Removed, applied upstream. * debian/patches/04_rename_linuxvnc.patch: - Removed, applied upstream. * debian/patches/05_GnuTLS.patch: - Removed, applied upstream. * debian/compat: - Bump compatibility level to 9. * debian/control: - Add libvncserver-config binary package, needed for Multi-arch. - Bump Standards-Version to 3.9.3. * debian/copyright: - Convert to DEP5 format. * debian/libvncserver-config.1: - Fix hyphen-used-as-minus-sign lintian warning. * debian/rules: - Implement a get-orig-source target to get rid of webclients directory, which contains Java classes without sources. * debian/watch: - Mangle "+dfsg" prefix from version number. -- Luca Falavigna Sat, 05 May 2012 23:45:15 +0200 libvncserver (0.9.8.2-2) unstable; urgency=low * debian/*.1: - Refresh man pages to consider new parameters (Closes: #518617). * debian/libvncserver-dev.install: - Install libvncserver.pc and libvncclient files (Closes: #649481). -- Luca Falavigna Thu, 08 Dec 2011 11:55:19 +0100 libvncserver (0.9.8.2-1) unstable; urgency=low * New upstream bugfix release. - Fix a regression in libvncclient with Apple Remote Desktop support that prevented viewers to connect to ARD servers (Closes: #644455). -- Luca Falavigna Wed, 09 Nov 2011 23:31:28 +0100 libvncserver (0.9.8.1-1) unstable; urgency=low * New upstream bugfix release. - Fix ABI break (Closes: #644455). * debian/compat: - Bump compatibility to 8. * debian/control: - Adopting package. - Add Vcs-* fields. - Build-depend on dh-autoreconf instead of automake and libtool. - Add libgnutls-dev to libvncserver-dev dependencies. * debian/not-installed: - Not needed, removed. * debian/rules: - Build with autoreconf support. -- Luca Falavigna Wed, 12 Oct 2011 19:59:26 +0200 libvncserver (0.9.8-2) unstable; urgency=low * QA upload. * debian/control: - Build-depend on libgnutls-dev for GNUTLS support. -- Luca Falavigna Sun, 02 Oct 2011 14:27:56 +0200 libvncserver (0.9.8-1) unstable; urgency=low * QA upload. * New upstream release (Closes: #621705). - Fix segfault launching "linuxvnc 1 -help" (Closes: #399501). - Close socket when connection ends (Closes: #525226). - Fix no input caused by stucked CTRL key (Closes: #555988). * debian/patches/*: - Refresh patches for new upstream release. * debian/patches/05_GnuTLS.patch: - Backport patch from upstream repository to drop deprecated GnuTLS functions (gnutls_*_set_priority -> gnutls_priority_set_direct). * debian/control: - Build-depend on pkg-config. - Remove duplicate section field for libvncserver0 binary. - Bump Standards-Version to 3.9.2. * debian/libvncserver-config.1: - Use minus signs instead of hypens. * debian/README.source: - Dropped, no longer needed. * debian/watch: - Provide watch file. -- Luca Falavigna Sun, 02 Oct 2011 02:54:05 +0200 libvncserver (0.9.7-3) unstable; urgency=low * QA upload * Change (build-)depdendencies on libjpeg62-dev to libjpeg-dev (closes: #629976). * Migrate to source format 3.0 (quilt): - add debian/source/format - remove build-dependency on quilt - debian/rules: drop --with-quilt from dh invocation * debian/rules, clean target: also remove generated file _configs.sed -- Ralf Treinen Fri, 10 Jun 2011 19:39:44 +0200 libvncserver (0.9.7-2) unstable; urgency=low * QA upload. * Don't build linuxvnc on non-linux architectures (Closes: #542592). * Add a debian/README.source. -- Aurelien Jarno Sun, 30 Aug 2009 17:15:14 +0200 libvncserver (0.9.7-1) unstable; urgency=low * QA upload. * New upstream release (Closes: #529010): - x11vnc is removed upstream from libvncserver sources. Now, it is released separately. * Added patches: - 03_no_x11vnc_subdir.patch Remove x11vnc remaining occurrences from the build system. - 04_rename_linuxvnc.patch Rename LinuxVNC to linuxvnc. * Bumped debian/compat from 5 to 7. * Updated debian/control: - Cleanuped build dependencies. - Switched to quilt patch system. - Added Homepage field. - Added libjpeg62-dev and zlib1g-dev dependencies to libvncserver-dev. (Closes: #515029) - Added priority extra and section debug to libvncserver0-dbg. - Removed x11vnc package. * Added debian/not-installed: - *.la files are not installed anymore in libvncserver-dev. * Switched debian/rules from cdbs to dh usage. -- Fathi Boudra Fri, 07 Aug 2009 15:45:36 +0200 libvncserver (0.9.3.dfsg.1-2) unstable; urgency=low * QA upload. * Drop useless build-depends on linux-libc-dev. -- Aurelien Jarno Wed, 13 May 2009 20:11:07 +0200 libvncserver (0.9.3.dfsg.1-1) unstable; urgency=low * QA upload. * New upstream release. (Closes: #448942) - CVS tag X11VNC_REL_0_9_3 * Switched rules to CDBS. * Bumped compat to 5. * Bumped Standards-Version to 3.7.2 * Enabled shared libraries. (Closes: #373298) * Dropped vncommand, since it isn't installed by make install. - All hate-mail should be sent to debian@pusling.com * Added debug package. * Removed the classes/ dir, there are no sources for the jar files. - Appended .dfsg.1 to source version. - Added patch 01_ignore_classes to allow building without classes/ dir. * Added patch 02_linux_test to look for /usr/include/linux instead of /dev/vcsa -- Matthew Rosewarne Mon, 05 Nov 2007 03:22:20 -0500 libvncserver (0.8.2-2) unstable; urgency=low * Orphaning package -- Ludovic Drolez Wed, 25 Apr 2007 12:00:32 +0200 libvncserver (0.8.2-1) unstable; urgency=high * New upstream release. Closes: #373808 * This new release fixes a security bug which might be present in the previous release of the package. Closes: #376824 * urgency=high because a probable security bug was fixed. -- Ludovic Drolez Mon, 17 Jul 2006 20:43:38 +0200 libvncserver (0.7.1-5) unstable; urgency=high * Re-upload with urgency=high because the package in testing is unusable -- Ludovic Drolez Thu, 12 Jan 2006 15:30:00 +0100 libvncserver (0.7.1-4) unstable; urgency=low * Put x11vnc 0.7.3 sources in their own directory. Closes: #333880 * Updated build-depends. Closes: #347019 -- Ludovic Drolez Mon, 9 Jan 2006 23:13:15 +0100 libvncserver (0.7.1-3) unstable; urgency=low * Added x11vnc 0.7.3 sources. Closes: #328943 * Added the x11vnc FAQ which is in the README. Closes: #325479 * Added build dependencies on libxdamage-dev, libfixes-dev, libxrandr-dev -- Ludovic Drolez Wed, 28 Sep 2005 19:00:05 +0200 libvncserver (0.7.1-2) unstable; urgency=low * Removed the /dev/vcsa1 test to fix the pbuilder bug. Closes: #322643 * new vncommand package: allows you to attach a VNC server to any command -- Ludovic Drolez Fri, 26 Aug 2005 18:02:16 +0200 libvncserver (0.7.1-1) unstable; urgency=low * New upstream release. Closes: #309385 -- Ludovic Drolez Fri, 25 Mar 2005 20:48:38 +0100 libvncserver (0.7-1) unstable; urgency=low * New upstream release * New upstream x11vnc man page. Closes: Bug#277510 -- Ludovic Drolez Mon, 31 Jan 2005 23:06:17 +0100 libvncserver (0.6-3) unstable; urgency=low * Added the latest x11vnc.c (0.6.1) which has the -scale option. * Added the scale option in the manual. -- Ludovic Drolez Fri, 16 Jul 2004 16:26:09 +0200 libvncserver (0.6-2) unstable; urgency=low * Added the latest x11vnc.c from the CVS. Closes: Bug#246205 -- Ludovic Drolez Thu, 29 Apr 2004 22:09:53 +0200 libvncserver (0.6-1) unstable; urgency=low * Initial Release. * Integrated the last release of x11vnc. -- Ludovic Drolez Wed, 10 Mar 2004 23:42:26 +0100