Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Jan 2011 09:17:00 -0500 (EST)
From: Josh Bressers <>
To:, Petr Matousek <>
Subject: Re: CVE request: qemu-kvm: Setting VNC password to
 empty string silently disables all authentication

Please use CVE-2011-0011



----- Original Message -----
> "The semantics of the ',password' option to -vnc are that it enables
> the VNC
> auth scheme. If the VNC server password is unset or empty string, all
> attempts
> to authenticate with the server will be explicitly blocked.
> This allows applications to enable and selectively allow access for a
> period of
> time, before clearing the password again to prevent further access.
> Upstream changes have introduced a flaw by disabling all
> authentication when
> the password was cleared with upstream commit [1].
> [1]
> Reference:
> Thanks,
> --
> Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ