[SECURITY] [DLA 541-1] libvirt security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 541-1] libvirt security update
From: Chris Lamb <lamby@debian.org>
Date: Fri, 01 Jul 2016 10:07:13 +0100
Message-id: <[🔎] 1467364033.3339671.654000961.26521D0E@webmail.messagingengine.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libvirt
Version        : 0.9.12.3-1+deb7u2
CVE ID         : CVE-2016-5008

It was discovered that there was a password policy issue in libvirt, a
library for interfacing with different virtualization systems.

Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behave like that. VNC would
happily accept the empty password. We enforce the behavior by setting
password expiration to "now".

For Debian 7 "Wheezy", this issue has been fixed in libvirt version
0.9.12.3-1+deb7u2.

We recommend that you upgrade your libvirt packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXdjKpAAoJEB6VPifUMR5Yu0AP/RYsy/M0Kv/IaFxif2/k88QI
GG4T1k9/2OELXxbJaShF3XwodWgXhy4TTcYgCt7xE8Y7QoQONURKsggJgcPD6dFZ
vvW5QgUY9eMMTBE9t2/lta0/djm4uK2EwS64Qf7nCXHcXji7IMzsv/sIy4jcshMC
Lde62LsEqGH8i0/F9PF6sOCdM5jaXs4B7aJLTlcAb1EEIAiUJqhc1PwEPRfX3MaV
rhOa6WkqaWaJY6k4zE4reCscvXenFiKNq+m2YLbwj7r3vUM1B6J29ob8jx6gavE+
ZI/v00D5C7YK2x7eBPZdEW6luju0TZTiBSpMmTkMFrQv2/zpbtaOBw2cHB25tfd4
psgEUFCqNrrJ6D2TD6LbG+uzzpJZ8cdSwXu7yX6yoVPAo937Zy2gBasdn8kE4VwK
lagnAAWjtY35vJtZ9B31KAgq9pgXsJYrOY7plRv5yKEje5d+6NppQenT9u0AgMZf
KE+QZAVPsivWewFzeiuOHtt0MJ7ESS74xXTklrXcZ9DpJ1dj/npZ/nXau3j/MKp/
cbwMbThv/N6dP0xtNXE4Q3gTT9Wz7oAMp3qWwlOWFAhSpR3JWR8CigzySGwltFu+
Q2G8BsLkRSxIHNn9aUZgvi59ijg7Ah1VKoC/sVsWE2TBzAbp8Na7lFTT2NSEWn5w
5ajXhdxZeh2aAxpyyjWA
=Hc7H
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 539-1] qemu-kvm security update
Next by Date: [SECURITY] [DLA 540-1] qemu security update
Previous by thread: [SECURITY] [DLA 539-1] qemu-kvm security update
Next by thread: [SECURITY] [DLA 540-1] qemu security update
Index(es):
- Date
- Thread