Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Jan 2011 09:17:00 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com>
Cc: coley@...us.mitre.org
Subject: Re: CVE request: qemu-kvm: Setting VNC password to
 empty string silently disables all authentication

Please use CVE-2011-0011

Thanks.

-- 
    JB


----- Original Message -----
> "The semantics of the ',password' option to -vnc are that it enables
> the VNC
> auth scheme. If the VNC server password is unset or empty string, all
> attempts
> to authenticate with the server will be explicitly blocked.
> 
> This allows applications to enable and selectively allow access for a
> period of
> time, before clearing the password again to prevent further access.
> 
> Upstream changes have introduced a flaw by disabling all
> authentication when
> the password was cleared with upstream commit [1].
> 
> [1]
> http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac"
> 
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=668589
> 
> Thanks,
> --
> Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ