From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue May 16 00:10:22 2006
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B335C16A8C1
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 16 May 2006 00:10:22 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2AB8143D45
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 16 May 2006 00:10:22 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4G0AMYr030632
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 16 May 2006 00:10:22 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4G0AMrF030631;
	Tue, 16 May 2006 00:10:22 GMT (envelope-from gnats)
Date: Tue, 16 May 2006 00:10:22 GMT
Message-Id: <200605160010.k4G0AMrF030631@freefall.freebsd.org>
To: freebsd-ports-bugs@FreeBSD.org
From: James Raftery <james@now.ie>
Cc: 
Subject: Re: ports/97313: [maintainer patch] Update net/vnc port to 4.1.2
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: James Raftery <james@now.ie>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2006 00:10:23 -0000

The following reply was made to PR ports/97313; it has been noted by GNATS.

From: James Raftery <james@now.ie>
To: Ion-Mihai IOnut Tetcu <itetcu@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/97313: [maintainer patch] Update net/vnc port to 4.1.2
Date: Tue, 16 May 2006 01:06:37 +0100

 Hi,
 
 On 16 May 2006, at 00:12, Ion-Mihai IOnut Tetcu wrote:
 >>> Number:         97313
 >>> Category:       ports
 >>> Synopsis:       [maintainer patch] Update net/vnc port to 4.1.2
 >>> Severity:       serious
 >>> Priority:       medium
 >>> Responsible:    freebsd-ports-bugs
 >>> Description:
 >> 	The patch below updates the net/vnc port from version 4.1.1 to
 >> 	version 4.1.2.
 >>
 >> 	4.1.2 addresses a serious vulnerability in RealVNC.
 >
 > Please tell us what this vulnerability is and if possible provide a
 > vuxml entry for it as well.
 
 http://www.securityfocus.com/bid/17978
 http://www.securityfocus.com/archive/1/433994/30/0/threaded
 
 A malicious VNC client can cause a VNC server to allow it to connect  
 without any authentication regardless of the authentication settings  
 configured in the server.
 
 VuXML below. It's my first, so please check thoroughly :)
 
 <vuln vid="4645b98c-e46e-11da-9ae7-00123fcc6e5c">
    <topic>Authentication bypass vulnerability found in RealVNC</topic>
    <affects>
      <package>
        <name>vnc</name>
        <range><eq>4.1.1</eq></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>RealVNC is susceptible to an authentication-bypass  
 vulnerability.
        A malicious VNC client can cause a VNC server to allow it to
        connect without any authentication regardless of the  
 authentication
        settings configured in the server. Exploiting this issue allows
        attackers to gain unauthenticated, remote access to the VNC  
 servers.</p>
      </body>
    </description>
    <references>
      <bid>17978</bid>
      <mlist>http://www.securityfocus.com/archive/1/433994/30/0/ 
 threaded</mlist>
    </references>
    <dates>
      <discovery>2006-05-15</discovery>
      <entry>2006-05-16</entry>
    </dates>
 </vuln>
 
 
 Thanks,
 james
 -- 
 Times flies like an arrow. Fruit flies like bananas.