2.2.3

Assets

• turbovnc-2.2.3.tar.gz is the official source tarball for this release. The automatically generated "Source code" assets are not supported.
• Refer to https://TurboVNC.org/Downloads/DigitalSignatures for information regarding the methods used to sign the files in this release and instructions for verifying the signatures.
• The binary packages were built with libjpeg-turbo 2.0.3.

Support

Code Quality: Stable
Current Support Category: Extended

Documentation

User’s Guide for TurboVNC 2.2.3

Release Notes

Significant changes relative to 2.2.2:

1. The Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm is now supported by the TurboVNC Server when using OpenSSL 1.0.2 or later.

2. A new security configuration file directive (permitted-cipher-suites) in the TurboVNC Server and a new Java system property (turbovnc.ciphersuites) in the Java TurboVNC Viewer can now be used to specify a list of permitted TLS cipher suites for the TLS* and X509* security types.

3. Fixed an issue in the Mac TurboVNC Viewer whereby drawing tablet stylus buttons were ignored or mapped to incorrect mouse button events.

4. The built-in HTTP server in the TurboVNC Server now accepts : and @ in any TurboVNC Viewer parameters that are appended to the URL. This allows for specifying an SSH username in the Via parameter and an RFB display/port in the Server parameter.

5. The X RandR outputs in the TurboVNC Server have been renamed to "VNC-0", "VNC-1", etc. This prevents a dialog ("Authentication is required to create a color managed device") from popping up when using the GNOME 3 window manager on recent Linux distributions, including Fedora, RHEL 8, and Ubuntu 18 and later.

6. Fixed a packaging regression, introduced by 2.2 beta1[17], that prevented full-screen multi-screen spanning from working properly with the Mac TurboVNC Viewer app.

7. Fixed a regression introduced by 2.2 beta1[11] that caused the TurboVNC Server to leak memory when certain X11 applications or frameworks requested that clipboard updates from the X server be converted to UTF-8 (by calling XConvertSelection() with a target of xaUTF8_STRING.)

8. Fixed an error ("java.lang.IllegalArgumentException: Error in security property. Constraint unknown: ECDH_ DH_RSA") that occurred when attempting to use any of the TLS* security types with the Java TurboVNC Viewer running under Java 7u211, 8u201, 11.0.2, or later with OpenSSL 1.1.x.

9. Fixed an issue (CVE-2019-15683) in the TurboVNC Server whereby a specially-crafted VNC viewer could be used to remotely trigger a stack overflow in the server by sending it a malformed RFB Fence message. This issue could never have been encountered when using any of the VNC viewers that currently support the RFB Fence message (TurboVNC and TigerVNC.) Furthermore, since exploiting the issue would have first required successfully authenticating with a TurboVNC session, the issue did not generally provide an attack vector for anyone other than the session owner and any collaborators authorized by the owner.

10. Fixed various issues with remote mouse events that would occur when running the Linux TurboVNC Viewer in a Wayland session.

11. The TurboVNC Server now generates a 2048-bit DSA key for use with the TLS* security types. This fixed an error ("dh key too small") that occurred when attempting to connect, using one of those security types, to a TurboVNC session running on a RHEL 8 host. It also fixed an error ("javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints") that occurred when attempting to connect, using one of the TLS* security types, to a TurboVNC session with the Linux TurboVNC Viewer running on a RHEL 8 client. A new security configuration file directive (tls-key-length) can be used to restore the behavior of previous releases of TurboVNC (generating a 1024-bit DSA key) or to increase the key length for additional security.