[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revert "CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot"



Hi,

First, it is a bit stressful when one's work is reverted without direct
communication; this requires constant checking whether there are related
commit to one's past days of work, and given the volume this also can be
just missed.
I would recommend e.g. a quick mail in such situation, WDYT?

Now about this revert, the git commit message says:

> This reverts commit 77a25a7a8a60d1005185d4a5ba2c2f57c3618830. CVEs from
> embedded-code-copies must not simply be copied over (otherwise this would
> be automated), but after validating whether each package embedding is
> actually affected in terms of build and usage patterns.

I added:

+    - italc <removed>
+    - ssvnc <unfixed>
+    - tightvnc <unfixed>
+    - veyon 4.3.1+repack1-1
+    - vncsnapshot <unfixed>

I excluded 3 out of 8 packages. I only added packages that actually
contain the impacted code (VNC client connection, using original RealVNC
codebase). Last I marked the version of veyon that is already fixed in
unstable.
This clearly isn't simply "copying over" the packages from
embedded-code-copies (which I had incidentally just updated as it was
incomplete).

Let me know if there's something I missed.

Cheers!
Sylvain


Reply to: