[3.4] libvirt: Setting empty VNC password allows access to unauthorized users (CVE-2016-5008)
It was found that setting VNC password to empty string doesn’t work in a
way as it’s documented.
The documented semantics of setting the password to an empty string are
that it disables all access to the VNC server,
however in fact it allows all users access with no authentication
required instead.
References:
http://security.libvirt.org/2016/0001.html
Patch:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=bb848feec0f3f10e92dd8e5231ae7aa89b5598f3
(from redmine: issue id 5875, created on 2016-07-08, closed on 2016-08-03)
- Relations:
- parent #5873 (closed)
- Changesets:
- Revision 34062c88 by Natanael Copa on 2016-07-19T11:14:56Z:
main/libvirt: security fix for CVE-2016-5008
fixes #5875