[3.1] libvirt: Setting empty VNC password allows access to unauthorized users (CVE-2016-5008)
It was found that setting VNC password to empty string doesn’t work in a
way as it’s documented.
The documented semantics of setting the password to an empty string are
that it disables all access to the VNC server,
however in fact it allows all users access with no authentication
required instead.
References:
http://security.libvirt.org/2016/0001.html
Patch:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=bb848feec0f3f10e92dd8e5231ae7aa89b5598f3
(from redmine: issue id 5878, created on 2016-07-08, closed on 2016-08-03)
- Relations:
- parent #5873 (closed)
- Changesets:
- Revision 0b2c0b74 on 2016-08-02T11:43:37Z:
main/libvirt: security fix (CVE-2016-5008). Fixes #5878
(cherry picked from commit fe21e87ffd9382eed66543f8c2d0f740878849d7)