Advisories » MGASA-2016-0248

Updated libvirt packages fix security vulnerabilities

Publication date: 08 Jul 2016
Modification date: 08 Jul 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5008

Description

Updated libvirt packages fix security vulnerability:

Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC
password does not work as documented in Libvirt, a virtualisation abstraction
library. When the password on a VNC server is set to the empty string,
authentication on the VNC server will be disabled, allowing any user to connect,
despite the documentation declaring that setting an empty password for the VNC
server prevents all client connections. With this update the behaviour is
enforced by setting the password expiration to "now" (CVE-2016-5008).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18873
• http://security.libvirt.org/2016/0001.html
• https://www.debian.org/security/2016/dsa-3613
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5008

SRPMS

5/core

• libvirt-1.2.9.3-1.4.mga5