I searched the boards for this, and can't seem to find much discussion about the topic.
VNC v 4.1.1 has had a major vulnerability exposed:
The basics are that a running VNC server on your :0 display is vulnerable to an attack that would allow the attacker to log into your machine's :0 display (the one you see on your desktop) with out needing the VNC password.
I was playing World of Warcraft one day, and my mouse kept jumping to the top and bottom of the screen, and it was really annoying. So I hopped out of WoW to see if my buddy was VNC'ing to my machine. To my horror, it was an open VNC Session, but to my utter enjoyment, it was an Windows junkie on the other end. The mouse paused for a moment while he located my Firefox Icon. Opened firefox, and I kid you not, tried over 10 times to rightclick the address bar and paste something he had copied before. No doubt he knew I was watching, and that it was a virus or other malware he was going to try to sendmy browser to. I opened a terminal window an ran:
#sudo tethereal > teth.txt
It ran for a moment, and he closed the window, obviously worried that I was doing something he didn't want me to. So I opened gedit, and started a little chat with the moron. I told him he's dumb for even trying and that I have his address, phone number, and ISP information, and the cops would be on their way in a few moments. No response, and the mouse was in my control again.
I closed the port 5900 to my machine and restarted X to kick him off if he was just playing possum.
What I'd like to know is why it's been over a month and yum repos still have not updated to version 4.1.2?
#sudo yum list vnc
Gives me version 4.1.1-39.fc5 as installed.
Downloading the rpm from realvnc.com and running rpm -U doesn't seem to wanna work.
$ sudo rpm -U vnc-4_1_2-x86_linux.rpm
error: Failed dependencies:
libstdc++-libc6.2-2.so.3 is needed by vnc-4.1.2-1.i386
$ ls /usr/lib/libstdc*
So I ran this command:
$ sudo ln -s /usr/lib/libstdc++.so.6 /usr/lib/libstdc++-libc6.2-2.so.3
And I get the same thing.
Any ideas? Can I punch somebody in the stomach to get the update pushed through, or do I just need to be patient?