On Tue, Jun 28, 2016 at 10:01:19AM -0400, Cole Robinson wrote: > On 06/28/2016 09:28 AM, Daniel P. Berrange wrote: > > On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote: > >> Setting an empty vnc_password in qemu.conf is documented as a way to > >> disable VNC access, but QEMU does not seem to behave like that. Let's > >> enforce the behavior by setting password expiration to "now". > > > > Hmm, i wonder when they regressed that behaviour *again*. We've fixed > > that in QEMU at least twice in the past. I'd like to see us explore > > when this changed in QEMU and whehter we should fix it there instead. > > > > I did some digging on this recently, see my findings here: > https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5 > > The issue is that there's two different monitor commands at play here, and the > set_password one we presently use has never had the semantics we advertise in > qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless Ok, so its broken since we stopped using 'change vnc password' HMP command. So we'll want to deal with this as a libvirt CVE, and provide patches on historical stable branches too. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list