neatvnc - Debian Package Tracker

general

source: neatvnc (main)
version: 0.9.1+dfsg-1
maintainer: Han Gao (DMD)
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 0.5.4+dfsg-1
stable: 0.9.1+dfsg-1
testing: 0.9.1+dfsg-1
unstable: 0.9.1+dfsg-1

versioned links

0.5.4+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libneatvnc-dev
libneatvnc0 (1 bugs: 0, 1, 0, 0)

action needed

Multiarch hinter reports 2 issue(s) high

There are issues with the multiarch metadata for this package.

libneatvnc-dev conflicts on /usr/share/doc/libneatvnc-dev/changelog.Debian.gz on loong64 <-> amd64, arm64, armhf and 4 more
libneatvnc0 conflicts on /usr/share/doc/libneatvnc0/changelog.Debian.gz on loong64 <-> amd64, arm64, armhf and 4 more

Created: 2026-04-19 Last update: 2026-05-16 14:00

A new upstream version is available: 1.0.0 high

A new upstream version 1.0.0 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-05-16 09:31

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-42859: Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.

1 issue left for the package maintainer to handle:

CVE-2024-42458: (needs triaging) server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the security type, a related issue to CVE-2006-2369.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-08-02 Last update: 2026-05-14 13:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-42859: Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.

Created: 2026-05-14 Last update: 2026-05-14 13:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-42859: Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.

Created: 2026-05-14 Last update: 2026-05-14 13:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-42859: Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.

Created: 2026-05-14 Last update: 2026-05-14 13:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-03-31 15:01

news

[rss feed]

[2024-11-27] neatvnc 0.9.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-11-21] Accepted neatvnc 0.9.1+dfsg-1 (source) into unstable (Han Gao) (signed by: Boyuan Yang)
[2024-11-13] neatvnc 0.8.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2024-11-08] Accepted neatvnc 0.8.0+dfsg-3 (source) into unstable (Dylan Aïssi)
[2024-08-06] neatvnc 0.8.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-08-03] Accepted neatvnc 0.8.0+dfsg-2 (source) into unstable (Salvatore Bonaccorso)
[2024-04-26] neatvnc 0.8.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-03-09] Accepted neatvnc 0.8.0+dfsg-1 (source) into unstable (Boyuan Yang)
[2024-02-19] neatvnc 0.7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-02-19] neatvnc 0.7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-02-13] Accepted neatvnc 0.7.1+dfsg-2 (source) into unstable (Boyuan Yang)
[2023-12-02] neatvnc 0.7.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-11-26] Accepted neatvnc 0.7.1+dfsg-1 (source) into unstable (Boyuan Yang)
[2023-10-30] neatvnc 0.7.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-10-24] Accepted neatvnc 0.7.0+dfsg-1 (source) into unstable (Boyuan Yang)
[2023-10-15] Accepted neatvnc 0.7.0+dfsg-1~exp1 (source) into experimental (Boyuan Yang)
[2023-08-01] neatvnc 0.6.0+dfsg-4 MIGRATED to testing (Debian testing watch)
[2023-07-25] Accepted neatvnc 0.6.0+dfsg-4 (source) into unstable (Boyuan Yang)
[2023-07-25] Accepted neatvnc 0.6.0+dfsg-3 (source) into unstable (Boyuan Yang)
[2023-07-25] Accepted neatvnc 0.6.0+dfsg-2 (source) into unstable (Boyuan Yang)
[2023-07-25] Accepted neatvnc 0.6.0+dfsg-1 (source) into unstable (Boyuan Yang)
[2023-03-19] Accepted neatvnc 0.5.4+dfsg-2~exp1 (source) into experimental (Boyuan Yang)
[2022-09-23] neatvnc 0.5.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-17] Accepted neatvnc 0.5.4+dfsg-1 (source) into unstable (Boyuan Yang)
[2022-09-05] neatvnc 0.5.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-08-30] Accepted neatvnc 0.5.3+dfsg-1 (source) into unstable (Boyuan Yang)
[2022-08-01] neatvnc 0.5.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-07-29] Accepted neatvnc 0.5.1+dfsg-2 (source) into unstable (Boyuan Yang)
[2022-07-13] Accepted neatvnc 0.5.1+dfsg-1 (source) into unstable (Boyuan Yang)
[2022-01-23] neatvnc 0.4.0+dfsg-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 2
RC: 1
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.9.1+dfsg-1build1