Update Info

openSUSE-2025-16


Security update for neatvnc


Type: security
Severity: moderate
Issued: 2025-01-17
Description:
This update for neatvnc fixes the following issues:

- Update to 0.9.2:

  * This patch release adds missing bounds checks.
    Two buffer overflow vulnerabilities were reported by Frederik
    Reiter who also provided patches to fix them.
    There are potential security implications, but only authenticated
    clients would be able to exploit these vulnerabilities, if at all.
    Nevertheless, it is prudent to update as soon as possible.

- Update to 0.9.1:

  * Fix a data type mismatch in the clipboard code that caused the
    build to fail for 32 bit architectures.

- Update to 0.9.0:

  Highlights:

  * A v4l2m2m based H.264 encoder that works on Raspberry Pi 1 to 4,
    sponsored by Raspberry Pi Ltd.
  * Extended clipboard for UTF-8 text was implemented by Attila Fidan.
  * Listening on a pre-bound file descriptor, implemented by Attila Fidan.
  * The continuous updates extension was implemented by Philipp Zabel.
  * We now have simple bandwidth estimation and improved frame pacing.
  * Methods for rating pixel formats and modifiers have according to Neat VNC's
    preferences have been added.
  * The Qemu/VMWare LED state extensions have been implemented.
  * H.264 encoders will now encode the correct colour space into the elementary
    stream.

  Bug fixes:

  * Some memory leaks and reference counting errors have been eradicated.
  * A race between resizing events and framebuffer updates that would cause a
    buffer with the previous size to be sent after a resize event has been fixed.
  * Buffers with 24 bits per pixel will now result in 32 bpp being reported to
    the client because 24 bpp is not allowed by the protocol. Nvidia users should
    now be able to use a wider selection of clients as a result of this change.

- boo#1228777 (CVE-2024-42458)

  Update to 0.8.1:
  * Add sanity check for chosen security type

- Update to 0.8.0:

  Highlights:

  * The colour map pixel format as described in RFC 6143 has been
    implemented. Before, the client would just get disconnected if
    they requested it. Now they get a map that emulates RGB332.
  * Momentary interception of log messages. The user can now set a
    thread-local log hander and then set it back to the default.
  * Philip Zabel made the code more consistent with the style guide.

  Breaking Changes:

  * nvnc_client_get_hostname has been replaced with nvnc_client_get_address

  Bugfixes:

  * Apple's Diffie-Hellman authentication (security type 30) has been fixed.
  * A new client connection no longer causes a DNS lookup.

- Update to 0.7.2:

  * Clients are now allowed to request more than 32 encodings (#108)
  * Zlib streams are now preserved when a client switches between
    encodings (#109)

- Update to 0.7.1:

  * Apple's Diffie-Hellman authentication (security type 30) has been fixed.
  * A new client connection no longer causes a DNS lookup.

- Update to 0.7.0:

  * Desktop resizing
  * Software pixel buffers with less than 32 bits per pixel are now supported
  * The server may now choose to open a websocket instead of a regular TCP socket
  * The RSA-AES and RSA-AES-256 security types have now been implemented
  * A Diffie-Hellman based security type frame Apple is also implemented,
    although not recommended
  * Murmurhash in the damage refinery has been replaced with xxHash,
    which performs much better in my tests so far
  * Users should now get proper feedback when authentication fails


              

Packages


  • neatvnc-0.9.2-bp156.3.3.1