tigervnc is vulnerable to man-in-the-middle (MitM). The vulnerability exists as it was discovered that vncviewer could prompt for and send authentication credentials to a remote server without first properly validating the server’s X.509 certificate. As vncviewer did not indicate that the certificate was bad or missing, a man-in-the-middle attacker could use this flaw to trick a vncviewer client into connecting to a spoofed VNC server, allowing the attacker to obtain the client’s credentials.
lists.fedoraproject.org/pipermail/package-announce/2011-May/060567.html
openwall.com/lists/oss-security/2011/05/06/2
openwall.com/lists/oss-security/2011/05/09/7
secunia.com/advisories/44939
www.mail-archive.com/tigervnc-devel%40lists.sourceforge.net/msg01342.html
www.mail-archive.com/tigervnc-devel%40lists.sourceforge.net/msg01345.html
www.mail-archive.com/tigervnc-devel%40lists.sourceforge.net/msg01347.html
www.mail-archive.com/[email protected]/msg01342.html
www.mail-archive.com/[email protected]/msg01345.html
www.mail-archive.com/[email protected]/msg01347.html
www.redhat.com/support/errata/RHSA-2011-0871.html
www.securityfocus.com/bid/47738
access.redhat.com/errata/RHSA-2011:0871
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=702470
bugzilla.redhat.com/show_bug.cgi?id=702672