Date: Wed, 12 Jan 2011 09:17:00 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com> Cc: coley@...us.mitre.org Subject: Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication Please use CVE-2011-0011 Thanks. -- JB ----- Original Message ----- > "The semantics of the ',password' option to -vnc are that it enables > the VNC > auth scheme. If the VNC server password is unset or empty string, all > attempts > to authenticate with the server will be explicitly blocked. > > This allows applications to enable and selectively allow access for a > period of > time, before clearing the password again to prevent further access. > > Upstream changes have introduced a flaw by disabling all > authentication when > the password was cleared with upstream commit . > >  > http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac" > > Reference: > https://bugzilla.redhat.com/show_bug.cgi?id=668589 > > Thanks, > -- > Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ