From ${URL} : It was found that setting VNC password to empty string doesn't work in a way as it's documented. The documented semantics of setting the password to an empty string are that it disables all access to the VNC server, however in fact it allows all users access with no authentication required instead. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1180092 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in: 1.3.5-r1 Vulnerable version left in tree: 1.3.4 commit 376e22508ab65ce5ebe3e1f1b977d013a860f84e Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Jun 30 12:59:59 2016 -0500 app-emulation/libvirt: Apply upstream patch for CVE-2016-5008, bug #587570 Package-Manager: portage-2.2.28
Arches, please stabilize =app-emulation/libvirt-1.3.5-r1 =dev-python/libvirt-python-1.3.5 Target-Keywords: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup.
commit ac7c68ff853c87b3fc3395dacb34b095c73cdbc3 Author: Matthias Maier <tamiko@gentoo.org> Date: Sat Jul 9 09:54:41 2016 -0500 app-emulation/libvirt: drop vulnerable 1.2.21-r2, bug #587570 CVE-2016-5008 Package-Manager: portage-2.2.28 commit 90c9b77c2dfebbfe13340da54d622b258bb9328a Author: Matthias Maier <tamiko@gentoo.org> Date: Sat Jul 9 09:56:39 2016 -0500 app-emulation/libvirt: x86 stable Package-Manager: portage-2.2.28 RepoMan-Options: --include-arches="x86" commit 34d6a62b26a78ab6f0901de39fdb14109db2b186 Author: Matthias Maier <tamiko@gentoo.org> Date: Sat Jul 9 09:53:14 2016 -0500 app-emulation/libvirt: amd64 stable Package-Manager: portage-2.2.28 RepoMan-Options: --include-arches="amd64" commit 45b982e636481053a901137211441a5d8be30fc3 Author: Matthias Maier <tamiko@gentoo.org> Date: Sat Jul 9 09:46:18 2016 -0500 app-emulation/libvirt: update 1.2.21, fix CVE-2016-5008, bug #587570 Package-Manager: portage-2.2.28
Unaffected versions: >=1.2.21-r3 and <1.3.0 >=1.3.5-r1
GLSA Vote: No