Libvncserver Versions Save

0.9.14 represents a gradual improvement over 0.9.13 with lots of developments all over the place. 40 issues and pull requests were closed/merged with this release. Highlights on the LibVNCServer side are a refined multi-threaded implementation, support for Unicode clipboard data 📋❗ and an outbound-connection machinery that works for real world use cases. LibVNCClient received support for SetDesktopSize (which had been added server-side in 0.9.13) and a properly documented SSH-tunneling setup.

Overall changes:

• Added more documentation (build system integration, repeater setup) and a legal FAQ.
• Added contribution guidelines.
• Ported the TravisCI continous integration machinery to GitHub workflows.

LibVNCServer/LibVNCClient:

• Added qemu extended key event support.
• Fixed several potential multiplication overflows.

LibVNCClient:

• Fixes of several memory leaks and buffer overflows.
• Added UltraVNC's MSLogonII authentication scheme.
• Fixed TLS interoperability with GnuTLS servers.
• Fixed detection of newer UltraVNC and TightVNC servers.
• Added support for SetDesktopSize.
• Added SSH tunneling example using libssh2.
• Added some extensions to VeNCrypt in order to be compatible with a wider range of servers.

LibVNCServer:

• Fixes to the multi-threaded server implementation which should be a lot more sound now.
• Fixed TightVNC-filetransfer file upload for 64-bit systems.
• Fixes of crashes in the zlib compression.
• Added support for UTF8 clipboard data.
• Fixed visual artifacts in framebuffer on ARM platforms.
• Fixed several WebSockets bugs.
• Fixed the UltraVNC-style repeater example.
• Added support for larger framebuffers (two 4k screens possible now).
• Added support for timeouts for outbound connections (to repeaters for instance).
• Fixed out-of-bounds memory access in Tight encoding.

Overall changes:

• Automagically generated API documentation using doxygen.
• Added support for pkg-config.
• Fixed Mingw32 cross compilation.
• Fixed CMake build system.

LibVNCServer/LibVNCClient:

• All files used by both LibVNCServer and LibVNCClient were put into a 'common' directory, reducing code duplication.
• Implemented xvp VNC extension.
• Updated minilzo library used for Ultra encoding to ver 2.04. According to the minilzo README, this brings a significant speedup on 64-bit architectures.

LibVNCServer:

• Thread safety for ZRLE, Zlib, Tight, RRE, CoRRE and Ultra encodings. This makes all VNC encodings safe to use with a multithreaded server.
• A DisplayFinishedHook for LibVNCServer. If set, this hook gets called just before rfbSendFrameBufferUpdate() returns.
• Fix for tight security type for RFB 3.8 in TightVNC file transfer (Debian Bug #517422).

LibVNCClient:

• Unix sockets support.
• Anonymous TLS security type support.
• VeNCrypt security type support.
• MSLogon security type support.
• ARD (Apple Remote Desktop) security type support.
• UltraVNC Repeater support.
• A new FinishedFrameBufferUpdate callback that is invoked after each complete framebuffer update.
• A new non-forking listen (reverse VNC) function that works under Windows.
• IPv6 support. LibVNCClient is now able to connect to IPv6 VNC servers.
• IP QoS support. This enables setting the DSCP/Traffic Class field of IP/IPv6 packets sent by a client. For example starting a client with -qosdscp 184 marks all outgoing traffic for expedited forwarding. Implementation for Win32 is still a TODO, though.
• Fixed hostname resolution problems under Windows.

SDLvncviewer

• Is now resizable and can do key repeat, mouse wheel scrolling and clipboard copy and paste.

LinuxVNC:

• Fix for no input possible because of ctrl key being stuck. Issue was reported as Debian bug #555988.

This is a major release that contains numerous bugfixes and a nice bag of shiny new features, mainly full IPv6 support, the new TurboVNC encoder and support for WebSockets.

Overall changes:

• Added noVNC HTML5 VNC viewer (http://kanaka.github.com/noVNC/) connect possibility to our http server. Pure JavaScript, no Java plugin required anymore! (But a recent browser...)
• Added a GTK+ VNC viewer example.

LibVNCServer/LibVNCClient:

• Added support to build for Google Android.
• Complete IPv6 support in both LibVNCServer and LibVNCClient.

LibVNCServer:

• Split two event-loop related functions out of the rfbProcessEvents() mechanism. This is required to be able to do proper event loop integration with Qt. Idea was taken from Vino's libvncserver fork.
• Added TightPNG (http://wiki.qemu.org/VNC_Tight_PNG) encoding support. Like the original Tight encoding, this still uses JPEG, but ZLIB encoded rects are encoded with PNG here.
• Added suport for serving VNC sessions through WebSockets (http://en.wikipedia.org/wiki/WebSocket), a web technology providing for multiplexing bi-directional, full-duplex communications channels over a single TCP connection.
• Support connections from the Mac OS X built-in VNC client to LibVNCServer instances running with no password.
• Replaced the Tight encoder with a TurboVNC one which is tremendously faster in most cases, especially with high-color video or 3D workloads. (http://www.virtualgl.org/pmwiki/uploads/About/tighttoturbo.pdf)

LibVNCClient:

• Added support to only listen for reverse connections on a specific IP address.
• Support for using OpenSSL instead of GnuTLS. This could come in handy on embedded devices where only this TLS implementation is available.
• Added support to connect to UltraVNC Single Click servers.

0.9.13 truly is a cross-platform release, the best we've ever done in that respect: Out of the 49 issues closed with this release, 20 alone were related to MS Windows. The result is that 0.9.13 is the first release with full support for Microsoft Windows! The cross-platform focused work did not end there tough: MacOS support was brought up from barebones to a fully working production-grade VNC server application. Other highlights are improvements regarding TLS in LibVNCClient, SetDesktopSize support in LibVNCServer and a major cleanup of the project's documentation. Last but not least, 0.9.13 comes with the usual assortment of bugfixes and security improvements.

Overall changes:

• Small tweaks to the CMake build system.
• The macOS server example was overhauled and is now the most feature-complete sample application of the project, ready for real-world use.
• Lots of documentation updates and markdownifying.
• The TravisCI continuous integration now also build-checks cross-compilation from Linux to Windows.
• Setup a Gitter community chat for the project.

LibVNCServer/LibVNCClient:

• Both LibVNCServer and LibVNCClient now support an additional platform, namely Microsoft Windows. Building is supported with Visual Studio as well as MingGW.
• The separate crypto routines used by LibVNCClient and LibVNCServer were refactored into an implementation common to both libraries.
• Several security issues got fixed, namely:
  • CVE-2018-21247: When connecting to a repeater, only send initialised string
  • CVE-2019-20839: libvncclient: bail out if unix socket name would overflow
  • CVE-2019-20840: fix crash because of unaligned accesses in hybiReadAndDecode()
  • CVE-2020-14396: libvncclient/tls_openssl: do not deref a NULL pointer
  • CVE-2020-14397: libvncserver: add missing NULL pointer checks
  • CVE-2020-14398: libvncclient: handle half-open TCP connections
  • CVE-2020-14399: libvncclient: fix pointer aliasing/alignment issue
  • CVE-2020-14400: libvncserver: fix pointer aliasing/alignment issue
  • CVE-2020-14401: libvncserver: scale: cast to 64 bit before shifting
  • CVE-2020-14402: libvncserver: encodings: prevent OOB accesses
  • CVE-2020-14403: encodings: prevent OOB accesses
  • CVE-2020-14404: libvncserver: encodings: prevent OOB accesses
  • CVE-2020-14405: libvncclient/rfbproto: limit max textchat size
• The bundled noVNC client is now at version 1.1.0 and included via a git submodule.

LibVNCClient:

• Added connect timeout as well as read timeout support thanks to Tobias Junghans.
• Both TLS backends now do proper locking of network operations when multi-threaded thanks to Gaurav Ujjwal.
• Fixed regression in Tight/Raw decoding introduced in 0.9.12 thanks to DRC.
• Fixed encrypted connections to AnonTLS servers when using the OpenSSL back-end. Made possible by the profound research done by Gaurav Ujjwal.

LibVNCServer:

• Added a hooking function (clientFramebufferUpdateRequestHook) to deliver rfbFramebufferUpdateRequest messages from clients to the frame producer thanks to Jae Hyun Yoo.
• Added SetDesktopSize/ExtendedDesktopSize support thanks to Floris Bos.
• Added multi-threading support for MS Windows.
• Fixed VNC repeater/proxy functionality that was broken in 0.9.12.
• Fixed unstable WebSockets connections thanks to Sebastian Kranz.

Over two years of work have now culminated in 0.9.12. We have ditched the legacy Autotools build system in favour of the truly cross-platform CMake and extended the continuous integration tests to run MS Windows builds as well. LibVNCServer saw quite some memory management issues fixed, LibVNCClient received X509 server certificate verification, Tight decoding optimizations, support for overriding the default rectangle decode handlers and a port of the SDL-based VNC viewer to SDL 2.0. 42 issues were fixed with this release.

• Overall changes:

  • CMake now is the default build system, Autotools were removed.
  • In addition to TravisCI, all commits are now build-tested by AppVeyorCI.

  • LibVNCServer/LibVNCClient:

    • Numerous build fixes for Visual Studio compilers to the extent that one can now build the project with these. The needed changes for successfully running stuff will be implemented in 0.9.13.
    • Fixed building for Android and added build instructions.
    • Removed the unused PolarSSL wrapper.
    • Updated the bundled noVNC to latest release 1.0.0.
    • Allowed to use global LZO library instead of miniLZO.

  • LibVNCClient:

    • Support for OpenSSL 1.1.x.
    • Support for overriding the default rectangle decode handlers (with hardware-accelerated ones for instance) thanks to Balazs Ludmany.
    • vnc2mpg updated.
    • Added support for X509 server certificate verification as part of the handshake process thanks to Simon Waterman.
    • Added a TRLE decoder thanks to Wiki Wang.
    • Included Tight decoding optimizations from TurboVNC thanks to DRC.
    • Ported the SDL viewer from SDL 1.2 to SDL 2.0.
    • Numerous security fixes.
    • Added support for custom auth handlers in order to support additional security types.

  • LibVNCServer:

    • Websockets rework to remove obsolete code thanks to Andreas Weigel.
    • Ensured compatibility with gtk-vnc 0.7.0+ thanks to Michał Kępień.
    • The built-in webserver now sends correct MIME type for Javascript.
    • Numerous memory management issues fixed.
    • Made the TightVNC-style file transfer more stable.

After quite some time finally a major release featuring continous integration to make sure the code builds on all supported platforms. LibVNCClient saw a lot of robustness fixes making it more stable when dealing with broken or malicious servers. LibVNCServer received WebSocket improvements, its built-in webserver got more secure and systemd support was added.

• Overall changes:
  • LibVNCServer/LibVNCClient development now uses continous intregration, provided by TravisCI.
• LibVNCClient:
  • Now initializes libgcrypt before use if the application did not do it. Fixes a crash when connection to Mac hosts (https://github.com/LibVNC/libvncserver/issues/45).
  • Various fixes that result in more stable handling of malicious or broken servers.
  • Removed broken and unmaintained H264 decoding.
  • Some documentation fixes.
  • Added hooks to WriteToTLS() for optional protection by mutex.
• LibVNCServer:
  • Stability fixes for the WebSocket implementation.
  • Replaced SHA1 implementation with the one from RFC 6234.
  • The built-in HTTP server does not allow directory traversals anymore.
  • The built-in HTTP now sends correct MIME types for CSS and SVG.
  • Added support for systemd socket activation.
  • Made it possible to get autoPort behavior with either ipv4 or ipv6 disabled.
  • Fixed starting of an onHold-client in threaded mode.

Another major release that saw a massive code re-organisation, merged some Debian patches, addressed some security issues and fixed building on Windows 8.

• Overall changes:
  • Moved the whole project from sourceforge to https://libvnc.github.io/.
  • Cleaned out the autotools build system which now uses autoreconf.
  • Updated noVNC HTML5 client to latest version.
  • Split out x11vnc sources into separate repository at https://github.com/LibVNC/x11vnc
  • Split out vncterm sources into separate repository at https://github.com/LibVNC/vncterm
  • Split out VisualNaCro sources into separate repository at https://github.com/LibVNC/VisualNaCro
  • Merged Debian patches.
• LibVNCServer/LibVNCClient:
  • Fixed some security-related buffer overflow cases.
  • Added compatibility headers to make LibVNCServer/LibVNCClient build on native Windows 8.
  • Update LZO to version 2.07, fixing CVE-2014-4607.
• LibVNCServer:
  • Merged patches from KDE/krfb.
  • Can now do IPv6 without IPv4.
  • Fixed a use-after-free issue in scale.c.