Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 78828 - Upgrade to tightVNC 1.2.7 from 1.2.2
Summary: Upgrade to tightVNC 1.2.7 from 1.2.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Public Beta
Classification: Retired
Component: vnc
Version: phoebe
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-01 18:36 UTC by Dax Kelson
Modified: 2007-04-18 16:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-02-21 08:42:34 UTC


Attachments (Terms of Use)
TightVNC 1.2.6 patch (deleted)
2002-12-01 18:37 UTC, Dax Kelson
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:287 normal SHIPPED_LIVE Moderate: vnc security update 2003-02-07 05:00:00 UTC
Red Hat Product Errata RHSA-2003:041 high SHIPPED_LIVE : Updated VNC packages fix replay and cookie vulnerabilities 2003-02-07 05:00:00 UTC

Description Dax Kelson 2002-12-01 18:36:07 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Current rawhide and 8.0 vnc has the vnc-3.3.3r2-unix-tight-1.2.2.patch.bz2 patch
being applied.

Please upgrade to the latest stable release of TightVNC 1.2.6.

Reasons for upgrading:

1. Fixed a repeated challenge replay attack
    vulnerability, bugtraq id 5296.

2. Fixed a problem in the I/O subsystem that was
    introduced in TightVNC 1.2.2 and was causing major slowdown in
    communication with clients

3.  Java viewer was GREATLY improved: the code was converted to Java
    1.1, painting techniques were re-designed completely

4.  Can use the system zlib.

Many others benefits....I've been custom patching my RH VNC rpms locally for
awhile with great results.

IMHO, the security hole mandates an upgrade if for no other reason.


Additional info:

The author doesn't distribute patches anymore (since 1.2.2) so I made a patch.

http://www.gurulabs.com/files/vnc-3.3.3r2-unix-tight-1.2.6.patch.bz2

You can get the new Java viewer binary from:

http://umn.dl.sourceforge.net/sourceforge/vnc-tight/tightvnc-1.2.6_javabin.tar.gz

Comment 1 Dax Kelson 2002-12-01 18:37:06 UTC
Created attachment 86985 [details]
TightVNC 1.2.6 patch

Comment 3 Mark J. Cox 2002-12-09 13:06:34 UTC
This is now CAN-2002-1336

Comment 4 Dax Kelson 2002-12-29 03:19:31 UTC
TightVNC 1.2.7 is out now

Comment 5 Dax Kelson 2002-12-29 03:21:48 UTC
1.2.7 changes:

- Unix and Win32 versions, Java viewer: The most significant problem
    with local cursor handling has been solved -- now clients can see
    remote cursor movements performed on the server or by another
    client. New PointerPos encoding and cursor shape updates both
    minimize bandwidth requirements and greatly improve responsiveness
    of the mouse pointer, while still allow to track correct pointer
    position in all situations.

  - Unix and Win32 versions: In all the places where display numbers
    had to be used, now it's easy to use port numbers as well. The
    viewers now allow to use new "hostname::port" syntax, in addition
    to the traditional "hostname:display" format. The same new syntax
    can be used in the "Add new client" dialog of Win32 server. In the
    server, now it's equally easy to set display and port numbers. 
    Besides that, HTTP and RFB port numbers can be set individually.

  - Unix and Win32 versions: In servers, decreased JPEG quality
    factors for low quality levels. This improves bandwidth usage
    while the image quality remains satisfactory in most cases. In
    clients, JPEG compression is now enabled by default, because
    usually it's a reasonable choice. To prevent viewers from
    requesting JPEG compression, new -nojpeg option can be used.

  - Unix version: Bugfix for Xvnc's -localhost and -interface options
    that were broken on many systems, thanks to Luke Mewburn for the
    bugfix. Xvnc -version command-line option is now supported.

  - Tight encoding is now documented in rfbproto.h files within source
    archives.

  - Java viewer: Implemented new buttons "Login again" and "Close
    window" near the disconnect or error messages in the applet mode,
    and introduced new "Offer Relogin" parameter to control this
    improvement. Thanks to Peter Astrand for the initial version of
    the "Login again" patch.

  - Java viewer: Support for connections via HTTP proxies using HTTP
    CONNECT method. This will not work in the applet mode, due to Java
    security restrictions.

  - Java viewer: Extra .vnc files have been removed, having just
    index.vnc should be enough. Also, an example HTML page has been
    prepared, to simplify installation under a standalone Web server.

  - Java viewer: Added a MANIFEST to the JAR archive, to allow easy
    execution of the JAR file, using java -jar command-line option.

  - Other minor improvements and bugfixes.

Comment 6 Rex Dieter 2003-01-15 16:45:35 UTC
Or consider upgrading to (real)vnc-3.3.6.  (-: 
http://www.realvnc.org/.  

Comment 7 Mark J. Cox 2003-01-16 15:50:37 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-287.html


Comment 8 Mark J. Cox 2003-01-16 15:56:00 UTC
reopening since the erratum was for Advanced Server.  The Red Hat Linux variant
is on its way soon.

Comment 9 Mark J. Cox 2003-02-21 08:42:34 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-041.html



Note You need to log in before you can comment on or make changes to this bug.