Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1650
libvirt security update
4 July 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libvirt
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5008
Original Bulletin:
http://www.debian.org/security/2016/dsa-3613
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libvirt check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3613-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 02, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libvirt
CVE ID : CVE-2016-5008
Vivian Zhang and Christoph Anton Mitterer discovered that setting an
empty VNC password does not work as documented in Libvirt, a
virtualisation abstraction library. When the password on a VNC server is
set to the empty string, authentication on the VNC server will be
disabled, allowing any user to connect, despite the documentation
declaring that setting an empty password for the VNC server prevents all
client connections. With this update the behaviour is enforced by
setting the password expiration to "now".
For the stable distribution (jessie), this problem has been fixed in
version 1.2.9-9+deb8u3.
For the unstable distribution (sid), this problem has been fixed in
version 2.0.0-1.
We recommend that you upgrade your libvirt packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXd2/8AAoJEAVMuPMTQ89Eaw8P/iqKyAJU+KEfYtS4EoNLqesO
/iGjjp50xFpuKfGxRuHWfGsGUyjK2YFZ5xXAXIXNkYQSSkpZXuGgjgUR3AeBfmWF
GAhP4C8alZCeaGeQBJ8JHmUTtxlkvY2y9hEDbzd34qijijro9IWVrqCU112V6NCH
NRj6hrd5hIRi5zO7hPLLDJZcSHZormsEYWsFylUHwJQD/RFa2NPokRwf/HozWuiK
yzHgvhe35tk0TkmLXGFz3qZGNicfBAKPXjeBaS6F19ud3oXQW7yUGnnQ4nIGsHt1
JllSWWU8KnNNUJd0/dymDTbHYvV5hO9MajGJEMsKwcjO5mNSHu+5/Vqkc8LOqG8R
7WWdIJBlEiUQKLdH9q6wP8e5zgwe8eqbbZFvNfqWG3Z4Zj9dxHXHC/O7BR42hz4y
GeMkHAIKIXK1gS2Bc+NyyPeiFq97wT6lG25FmoHGzhzVnVi4UXX4eReFBygdx2sh
xc+ipCfRSM2SZ2OF4q4qrjCnS7ia2cd48JpWaV4SEzma0tyaL0th7tcs3yaOT48l
amJwhoSUMWMm8elBQy2RqW2N9GSiJG3fFhM1UExJ9B1NsIFO5fiNs1sex/bFzA7K
GVHZgxMIb1Q1PxgnQBkG/Pp7LYODqy+vQUnF20rwC0FHFadxcrhe548XKdfZ+HOG
5su7GWqNA4hMzP8rpqmR
=lCfh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV3mqTYx+lLeg9Ub1AQggnw/+O+NIZYu8kTW+BkxKdX4Or/xzU5ydTDN3
3Z6mis6Ulv1j+Kvi+VI/On9RY/BRPhZnCUhy4XXCstOWuKxYCsdFiv+6TRCPBSJt
77x9MwCgsP29HfdPuN61JMSyEU2B2NzV2GfpcDgitqCzl4C0V2qWhNaVH6XfpaBp
Sve/g/1EIcNg8F222jEvmdjW5iTGoLn9xZNF2MTToCYQu5eJIjZ3UHzGAo9CqpWm
SanV7CBqmisTjhg7CENMk/yGn2ZUNeRZqOg22OrK4dwgpTpMRAEN9yacrJp5Vpv1
S4bhobjabL9snDAGsJKbZkMaVNlTPWivLJUpz+F3te5HB9dJ74n+DOt6fvYWnffh
aW1+5mik8D17I8eFMw/aHp5lz7ycYZyjyoFLtD26ZD/VZ3A77fSkqL1jnqVM4Re9
ucyQ2wPBtxKXMcY+gN8Q3TAquF+zMC88ARuoMEYlSiB3oO4gE7lnp94jxPxMjKU7
r4L+s9IhCi4Kqztf1TJR5/Qk/ATBgD+bIULiy6vBW4TNYG8Gkr90w6GHtKSLUh69
ZC6ogzj6W81qjl8V57DBuD4oBYfjOIUmiAqaGjBXWNqqraLtkNRtojWxEC3fEQFG
mn2pK+UzmEzsp+LuB1ERnRkanp6Ktyk1FsO4Md9dUl13uolKeifskEFsJVUwyxU6
c6r/AX0cN+k=
=9NbJ
-----END PGP SIGNATURE-----