On Fri, Jul 01, 2016 at 02:01:01PM +0200, Martin Kletzander wrote: > On Fri, Jul 01, 2016 at 10:31:33AM +0100, Daniel P. Berrange wrote: > > Libvirt Security Notice: LSN-2016-0001 > > ====================================== > > > > Summary: Authentication disabled when setting empty VNC > > password > > Reported on: 20130531 > > Published on: 20130531 > > Fixed on: 20160630 > > Reported by: Vivian Zhang <vivianzhang@xxxxxxxxxx> > > Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> > > Patched by: Jiri Denemar <jdenemar@xxxxxxxxxx> > > See also: CVE-2016-5008 > > > > Branch: v1.3.1-maint > > Broken in: v1.3.3.1 > > Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f > > Fixed by: 2d5370eba6b52f44cf832eba28f162c55331a47c > > > > Branch: v1.3.3-maint > > Broken in: v1.3.3.1 > > Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f > > Fixed by: 881441f84a30cd3921df313a982f7162d7ca04f4 > > > > I just want to make sure my guess is right. We don't have 1.3.2-maint > branch, so it wasn't back-ported there. Does that mean we will never > need such branch, hence we're fine; or does it mean that we should add a > branch for the CVE fix just in case someone wants to back-port other fix > to 1.3.2 and creates it -- so that it is not vulnerable? > > My guess is that we won't have 1.3.2 but we should rather be safe... I simply applied to all branches listed in origin. Yes, we should really create a 1.3.2 branch, and any other missing branches, so we can get the security fixes on all branches. IMHO, we should switch to creating the -maint branch at time of each release,instead of waiting until we need it. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list