Date: Mon, 10 Jan 2011 17:42:43 -0700 From: Kurt Seifried <kurt@...fried.org> To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com> Cc: coley@...us.mitre.org Subject: Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication > Upstream changes have introduced a flaw by disabling all authentication when > the password was cleared with upstream commit . > >  > http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac" Confirmed vulnerable in qemu-kvm source code 0.10.6, fixed in 0.11.0 http://sourceforge.net/projects/kvm/files/qemu-kvm/ -- Kurt Seifried kurt@...fried.org skype: 1-703-879-3176
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ