Candidate: CVE-2020-26117
PublicDate: 2020-09-27 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26117
 https://bugzilla.opensuse.org/show_bug.cgi?id=1176733
 https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb (v1.11.0)
 https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b (v1.11.0)
 https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba (master)
 https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e (master)
 https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb
 https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b
 https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba
 https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e
 https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0
Description:
 In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before
 1.11.0, viewers mishandle TLS certificate exceptions. They store the
 certificates as authorities, meaning that the owner of a certificate could
 impersonate any server after a client had added an exception.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971272
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N [8.1 HIGH]


Patches_tigervnc:
upstream_tigervnc: released (1.10.1+dfsg-9)
precise/esm_tigervnc: DNE
trusty_tigervnc: ignored (out of standard support)
trusty/esm_tigervnc: DNE
xenial_tigervnc: DNE
bionic_tigervnc: needs-triage
focal_tigervnc: needs-triage
groovy_tigervnc: ignored (reached end-of-life)
hirsute_tigervnc: not-affected (1.10.1+dfsg-9)
impish_tigervnc: not-affected (1.10.1+dfsg-9)
jammy_tigervnc: not-affected (1.10.1+dfsg-9)
devel_tigervnc: not-affected (1.10.1+dfsg-9)