CVE-2020-26117

In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.

References

Affected packages

Debian:11 / tigervnc

Package

Name: tigervnc
Purl: pkg:deb/debian/tigervnc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.1+dfsg-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / tigervnc

Package

Name: tigervnc
Purl: pkg:deb/debian/tigervnc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.1+dfsg-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tigervnc

Package

Name: tigervnc
Purl: pkg:deb/debian/tigervnc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.1+dfsg-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/tigervnc/tigervnc

Affected ranges

Type: GIT
Repo: https://github.com/tigervnc/tigervnc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

20dea801e747318525a5859fe4f37c52b05310cb

Fixed

20dea801e747318525a5859fe4f37c52b05310cb

Fixed

7399eab79a4365434d26494fa1628ce1eb91562b

Fixed

7399eab79a4365434d26494fa1628ce1eb91562b

Fixed

b30f10c681ec87720cff85d490f67098568a9cba

Fixed

b30f10c681ec87720cff85d490f67098568a9cba

Fixed

f029745f63ac7d22fb91639b2cb5b3ab56134d6e

Fixed

f029745f63ac7d22fb91639b2cb5b3ab56134d6e

Affected versions

v0.*

v0.0.90

v1.*

v1.1.90

v1.10.90