Security update for tigervnc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1841-1 Final 1 1 2020-11-05T19:25:49Z current 2020-11-05T19:25:49Z 2020-11-05T19:25:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tigervnc This update for tigervnc fixes the following issues: - CVE-2020-26117: Server certificates were stored as certiticate authorities, allowing malicious owners of these certificates to impersonate any server after a client had added an exception (bsc#1176733) This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1841 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AHGUGM3YL5HL5VFJ4H6Q3GAZOZUQSECF/ E-Mail link for openSUSE-SU-2020:1841-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1176733 SUSE Bug 1176733 https://www.suse.com/security/cve/CVE-2020-26117/ SUSE CVE CVE-2020-26117 page openSUSE Leap 15.1 libXvnc-devel-1.9.0-lp151.4.9.1 libXvnc1-1.9.0-lp151.4.9.1 tigervnc-1.9.0-lp151.4.9.1 tigervnc-x11vnc-1.9.0-lp151.4.9.1 xorg-x11-Xvnc-1.9.0-lp151.4.9.1 xorg-x11-Xvnc-java-1.9.0-lp151.4.9.1 xorg-x11-Xvnc-module-1.9.0-lp151.4.9.1 xorg-x11-Xvnc-novnc-1.9.0-lp151.4.9.1 libXvnc-devel-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 libXvnc1-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 tigervnc-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 tigervnc-x11vnc-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 xorg-x11-Xvnc-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 xorg-x11-Xvnc-java-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 xorg-x11-Xvnc-module-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 xorg-x11-Xvnc-novnc-1.9.0-lp151.4.9.1 as a component of openSUSE Leap 15.1 In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception. CVE-2020-26117 openSUSE Leap 15.1:libXvnc-devel-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:libXvnc1-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:tigervnc-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:tigervnc-x11vnc-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:xorg-x11-Xvnc-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:xorg-x11-Xvnc-java-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:xorg-x11-Xvnc-module-1.9.0-lp151.4.9.1 openSUSE Leap 15.1:xorg-x11-Xvnc-novnc-1.9.0-lp151.4.9.1 critical 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AHGUGM3YL5HL5VFJ4H6Q3GAZOZUQSECF/ https://www.suse.com/security/cve/CVE-2020-26117.html CVE-2020-26117 https://bugzilla.suse.com/1176733 SUSE Bug 1176733