[3.3] libvirt: Setting empty VNC password allows access to unauthorized users (CVE-2016-5008)
It was found that setting VNC password to empty string doesn’t work in a
way as it’s documented.
The documented semantics of setting the password to an empty string are
that it disables all access to the VNC server,
however in fact it allows all users access with no authentication
required instead.
References:
http://security.libvirt.org/2016/0001.html
Patch:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=bb848feec0f3f10e92dd8e5231ae7aa89b5598f3
(from redmine: issue id 5876, created on 2016-07-08, closed on 2016-08-03)
- Relations:
- parent #5873 (closed)
- Changesets:
- Revision fe21e87f on 2016-08-01T14:34:09Z:
main/libvirt: security fix (CVE-2016-5008). Fixes #5876