[libvirt] LSN-2016-0001 - Authentication disabled when setting empty VNC password

Daniel P. Berrange berrange at redhat.com
Fri Jul 1 12:39:57 UTC 2016 

On Fri, Jul 01, 2016 at 02:01:01PM +0200, Martin Kletzander wrote:
> On Fri, Jul 01, 2016 at 10:31:33AM +0100, Daniel P. Berrange wrote:
> >        Libvirt Security Notice: LSN-2016-0001
> >        ======================================
> > 
> >       Summary: Authentication disabled when setting empty VNC
> >                password
> >   Reported on: 20130531
> >  Published on: 20130531
> >      Fixed on: 20160630
> >   Reported by: Vivian Zhang <vivianzhang at redhat.com>
> >                Christoph Anton Mitterer <calestyo at scientia.net>
> >    Patched by: Jiri Denemar <jdenemar at redhat.com>
> >      See also: CVE-2016-5008
> > 
> >      Branch: v1.3.1-maint
> >   Broken in: v1.3.3.1
> >   Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
> >    Fixed by: 2d5370eba6b52f44cf832eba28f162c55331a47c
> > 
> >      Branch: v1.3.3-maint
> >   Broken in: v1.3.3.1
> >   Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
> >    Fixed by: 881441f84a30cd3921df313a982f7162d7ca04f4
> > 
> 
> I just want to make sure my guess is right.  We don't have 1.3.2-maint
> branch, so it wasn't back-ported there.  Does that mean we will never
> need such branch, hence we're fine; or does it mean that we should add a
> branch for the CVE fix just in case someone wants to back-port other fix
> to 1.3.2 and creates it -- so that it is not vulnerable?
> 
> My guess is that we won't have 1.3.2 but we should rather be safe...

I simply applied to all branches listed in origin. Yes, we should really
create a 1.3.2 branch, and any other missing branches, so we can get the
security fixes on all branches.

IMHO, we should switch to creating the -maint branch at time of each
release,instead of waiting until we need it.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list