Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1650 libvirt security update 4 July 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libvirt Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-5008 Original Bulletin: http://www.debian.org/security/2016/dsa-3613 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libvirt check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3613-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 02, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libvirt CVE ID : CVE-2016-5008 Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC password does not work as documented in Libvirt, a virtualisation abstraction library. When the password on a VNC server is set to the empty string, authentication on the VNC server will be disabled, allowing any user to connect, despite the documentation declaring that setting an empty password for the VNC server prevents all client connections. With this update the behaviour is enforced by setting the password expiration to "now". For the stable distribution (jessie), this problem has been fixed in version 1.2.9-9+deb8u3. For the unstable distribution (sid), this problem has been fixed in version 2.0.0-1. We recommend that you upgrade your libvirt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXd2/8AAoJEAVMuPMTQ89Eaw8P/iqKyAJU+KEfYtS4EoNLqesO /iGjjp50xFpuKfGxRuHWfGsGUyjK2YFZ5xXAXIXNkYQSSkpZXuGgjgUR3AeBfmWF GAhP4C8alZCeaGeQBJ8JHmUTtxlkvY2y9hEDbzd34qijijro9IWVrqCU112V6NCH NRj6hrd5hIRi5zO7hPLLDJZcSHZormsEYWsFylUHwJQD/RFa2NPokRwf/HozWuiK yzHgvhe35tk0TkmLXGFz3qZGNicfBAKPXjeBaS6F19ud3oXQW7yUGnnQ4nIGsHt1 JllSWWU8KnNNUJd0/dymDTbHYvV5hO9MajGJEMsKwcjO5mNSHu+5/Vqkc8LOqG8R 7WWdIJBlEiUQKLdH9q6wP8e5zgwe8eqbbZFvNfqWG3Z4Zj9dxHXHC/O7BR42hz4y GeMkHAIKIXK1gS2Bc+NyyPeiFq97wT6lG25FmoHGzhzVnVi4UXX4eReFBygdx2sh xc+ipCfRSM2SZ2OF4q4qrjCnS7ia2cd48JpWaV4SEzma0tyaL0th7tcs3yaOT48l amJwhoSUMWMm8elBQy2RqW2N9GSiJG3fFhM1UExJ9B1NsIFO5fiNs1sex/bFzA7K GVHZgxMIb1Q1PxgnQBkG/Pp7LYODqy+vQUnF20rwC0FHFadxcrhe548XKdfZ+HOG 5su7GWqNA4hMzP8rpqmR =lCfh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV3mqTYx+lLeg9Ub1AQggnw/+O+NIZYu8kTW+BkxKdX4Or/xzU5ydTDN3 3Z6mis6Ulv1j+Kvi+VI/On9RY/BRPhZnCUhy4XXCstOWuKxYCsdFiv+6TRCPBSJt 77x9MwCgsP29HfdPuN61JMSyEU2B2NzV2GfpcDgitqCzl4C0V2qWhNaVH6XfpaBp Sve/g/1EIcNg8F222jEvmdjW5iTGoLn9xZNF2MTToCYQu5eJIjZ3UHzGAo9CqpWm SanV7CBqmisTjhg7CENMk/yGn2ZUNeRZqOg22OrK4dwgpTpMRAEN9yacrJp5Vpv1 S4bhobjabL9snDAGsJKbZkMaVNlTPWivLJUpz+F3te5HB9dJ74n+DOt6fvYWnffh aW1+5mik8D17I8eFMw/aHp5lz7ycYZyjyoFLtD26ZD/VZ3A77fSkqL1jnqVM4Re9 ucyQ2wPBtxKXMcY+gN8Q3TAquF+zMC88ARuoMEYlSiB3oO4gE7lnp94jxPxMjKU7 r4L+s9IhCi4Kqztf1TJR5/Qk/ATBgD+bIULiy6vBW4TNYG8Gkr90w6GHtKSLUh69 ZC6ogzj6W81qjl8V57DBuD4oBYfjOIUmiAqaGjBXWNqqraLtkNRtojWxEC3fEQFG mn2pK+UzmEzsp+LuB1ERnRkanp6Ktyk1FsO4Md9dUl13uolKeifskEFsJVUwyxU6 c6r/AX0cN+k= =9NbJ -----END PGP SIGNATURE-----