[libvirt] LSN-2016-0001 - Authentication disabled when setting empty VNC password
Martin Kletzander
mkletzan at redhat.com
Fri Jul 1 12:01:01 UTC 2016
On Fri, Jul 01, 2016 at 10:31:33AM +0100, Daniel P. Berrange wrote:
> Libvirt Security Notice: LSN-2016-0001
> ======================================
>
> Summary: Authentication disabled when setting empty VNC
> password
> Reported on: 20130531
> Published on: 20130531
> Fixed on: 20160630
> Reported by: Vivian Zhang <vivianzhang at redhat.com>
> Christoph Anton Mitterer <calestyo at scientia.net>
> Patched by: Jiri Denemar <jdenemar at redhat.com>
> See also: CVE-2016-5008
>
> Branch: v1.3.1-maint
> Broken in: v1.3.3.1
> Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
> Fixed by: 2d5370eba6b52f44cf832eba28f162c55331a47c
>
> Branch: v1.3.3-maint
> Broken in: v1.3.3.1
> Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
> Fixed by: 881441f84a30cd3921df313a982f7162d7ca04f4
>
I just want to make sure my guess is right. We don't have 1.3.2-maint
branch, so it wasn't back-ported there. Does that mean we will never
need such branch, hence we're fine; or does it mean that we should add a
branch for the CVE fix just in case someone wants to back-port other fix
to 1.3.2 and creates it -- so that it is not vulnerable?
My guess is that we won't have 1.3.2 but we should rather be safe...
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160701/95592f34/attachment-0001.sig>
More information about the libvir-list
mailing list