Re: Revert "CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot"
Hi,
First, it is a bit stressful when one's work is reverted without direct
communication; this requires constant checking whether there are related
commit to one's past days of work, and given the volume this also can be
just missed.
I would recommend e.g. a quick mail in such situation, WDYT?
Now about this revert, the git commit message says:
> This reverts commit 77a25a7a8a60d1005185d4a5ba2c2f57c3618830. CVEs from
> embedded-code-copies must not simply be copied over (otherwise this would
> be automated), but after validating whether each package embedding is
> actually affected in terms of build and usage patterns.
I added:
+ - italc <removed>
+ - ssvnc <unfixed>
+ - tightvnc <unfixed>
+ - veyon 4.3.1+repack1-1
+ - vncsnapshot <unfixed>
I excluded 3 out of 8 packages. I only added packages that actually
contain the impacted code (VNC client connection, using original RealVNC
codebase). Last I marked the version of veyon that is already fixed in
unstable.
This clearly isn't simply "copying over" the packages from
embedded-code-copies (which I had incidentally just updated as it was
incomplete).
Let me know if there's something I missed.
Cheers!
Sylvain
Reply to: