On Fri, Jul 01, 2016 at 10:31:33AM +0100, Daniel P. Berrange wrote:
Libvirt Security Notice: LSN-2016-0001
======================================
Summary: Authentication disabled when setting empty VNC
password
Reported on: 20130531
Published on: 20130531
Fixed on: 20160630
Reported by: Vivian Zhang <vivianzhang@xxxxxxxxxx>
Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx>
Patched by: Jiri Denemar <jdenemar@xxxxxxxxxx>
See also: CVE-2016-5008
Branch: v1.3.1-maint
Broken in: v1.3.3.1
Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
Fixed by: 2d5370eba6b52f44cf832eba28f162c55331a47c
Branch: v1.3.3-maint
Broken in: v1.3.3.1
Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
Fixed by: 881441f84a30cd3921df313a982f7162d7ca04f4
I just want to make sure my guess is right. We don't have 1.3.2-maint branch, so it wasn't back-ported there. Does that mean we will never need such branch, hence we're fine; or does it mean that we should add a branch for the CVE fix just in case someone wants to back-port other fix to 1.3.2 and creates it -- so that it is not vulnerable? My guess is that we won't have 1.3.2 but we should rather be safe... Martin
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list