** Changed in: qemu
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
To manage
** Branch linked: lp:ubuntu/precise/qemu-kvm
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
To manage notifications ab
Ubuntu 12.04 is also affected
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
To manage notifications about this bug go
** Changed in: qemu-kvm (Debian)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
To
** Changed in: qemu-kvm (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubun
** Bug watch added: Debian Bug tracker #611134
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134
** Also affects: qemu-kvm (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134
Importance: Unknown
Status: Unknown
--
You received this bug notification because
** Branch linked: lp:ubuntu/lucid-proposed/qemu-kvm
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-b
** Branch linked: lp:ubuntu/maverick-updates/qemu-kvm
** Branch linked: lp:ubuntu/lucid-updates/qemu-kvm
** Branch linked: lp:ubuntu/karmic-security/qemu-kvm
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://b
Nothing left to do, unsubscribing ubuntu-security-sponsors.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-s
This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.4
---
qemu-kvm (0.11.0-0ubuntu6.4) karmic-security; urgency=low
* SECURITY UPDATE: Setting VNC password to empty string silently
disables all authentication (LP: #697197)
- debian/patches/697197-fix-vnc-password-se
This bug was fixed in the package qemu-kvm - 0.12.5+noroms-0ubuntu7.2
---
qemu-kvm (0.12.5+noroms-0ubuntu7.2) maverick-security; urgency=low
[ Dustin Kirkland ]
* SECURITY UPDATE: Setting VNC password to empty string silently
disables all authentication (LP: #697197).
- de
This bug was fixed in the package qemu-kvm - 0.12.3+noroms-0ubuntu9.4
---
qemu-kvm (0.12.3+noroms-0ubuntu9.4) lucid-security; urgency=low
* SECURITY UPDATE: Setting VNC password to empty string silently
disables all authentication (LP: #697197)
- debian/patches/697197-fix-vn
** Changed in: qemu-kvm (Ubuntu Maverick)
Assignee: Ubuntu Security Team (ubuntu-security) => Kees Cook (kees)
** Changed in: qemu-kvm (Ubuntu Lucid)
Assignee: Ubuntu Security Team (ubuntu-security) => Kees Cook (kees)
** Changed in: qemu-kvm (Ubuntu Karmic)
Importance: Undecided =>
Attaching debdiff for karmic.
** Patch added: "697197.karmic.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/+attachment/1844267/+files/697197.karmic.debdiff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to li
Thanks for preparing the debdiffs! It looks like karmic is vulnerable
too, so we'll need that as well. I'll update the debdiffs to use proper
DEP-3 and fix up the formatting of the changelogs a bit ("CVE-" vs "CVE:
"), and get these building.
** Also affects: libvirt (Ubuntu Karmic)
Importance:
** Changed in: libvirt (Ubuntu Natty)
Importance: High => Undecided
** Changed in: libvirt (Ubuntu Natty)
Assignee: Serge Hallyn (serge-hallyn) => (unassigned)
** Changed in: qemu-kvm (Ubuntu Maverick)
Milestone: maverick-updates => None
** Changed in: libvirt (Ubuntu Lucid)
S
** Branch linked: lp:ubuntu/qemu-kvm
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-bugs mailing list
** Branch linked: lp:~kirkland/ubuntu/natty/qemu-kvm/fix-build
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubunt
Attaching Lucid debdiff.
** Patch added: "697197.lucid.debdiff"
https://bugs.launchpad.net/ubuntu/lucid/+source/qemu-kvm/+bug/697197/+attachment/1843553/+files/697197.lucid.debdiff
** Changed in: qemu-kvm (Ubuntu Lucid)
Assignee: Dustin Kirkland (kirkland) => Ubuntu Security Team
(ubunt
This bug was fixed in the package qemu-kvm - 0.13.0+noroms-0ubuntu13
---
qemu-kvm (0.13.0+noroms-0ubuntu13) natty; urgency=low
[ Neil Wilson ]
* SECURITY UPDATE: Setting VNC password to empty string silently
disables all authentication (LP: #697197)
- debian/patches/69719
Confirmed that the affected code is also in Lucid. Adding a task for
that, and attaching a debdiff for lucid-security too.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title
Uploading to Natty now...
** Also affects: libvirt (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: qemu-kvm (Ubuntu Lucid)
Importance: Undecided
Status: New
** Changed in: qemu-kvm (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: qemu-kvm (U
Marking the libvirt tasks "invalid", as upstream libvirt has correctly pointed
out that this bug is in qemu, and not libvirt:
* https://bugzilla.redhat.com/show_bug.cgi?id=667097
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt
The patch needs to go into Lucid as well.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-bugs mailing
** Changed in: libvirt (Ubuntu Maverick)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
-
@security team,
Could you please sponsor this to the maverick-security queue? Thanks!
** Patch added: "697197.debdiff"
https://bugs.launchpad.net/ubuntu/maverick/+source/qemu-kvm/+bug/697197/+attachment/1843528/+files/697197.debdiff
** Changed in: qemu-kvm (Ubuntu Maverick)
Assignee: D
Looks good, thanks for doing this, Neil.
I'm going to update it just slightly, as this debdiff will need to go
through the security queue, since there's an associated CVE. I'll prep
that upload and the security team will sponsor it into maverick-
security.
I'll get it uploaded to natty now.
The
** Also affects: libvirt (Ubuntu Maverick)
Importance: Undecided
Status: New
** Also affects: qemu-kvm (Ubuntu Maverick)
Importance: Undecided
Status: New
** Also affects: libvirt (Ubuntu Natty)
Importance: High
Assignee: Serge Hallyn (serge-hallyn)
Status: Inva
** Changed in: qemu-kvm (Ubuntu)
Importance: Undecided => Medium
** Changed in: qemu-kvm (Ubuntu)
Status: Confirmed => In Progress
** Changed in: qemu-kvm (Ubuntu)
Assignee: (unassigned) => Dustin Kirkland (kirkland)
--
You received this bug notification because you are a member
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-b
This fault probably affects all the current versions of qemu-kvm. It's
present in 0.11 and the current qemu master branch.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title
Please sponsor for upload
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-bugs mailing list
Ubuntu-se
Installed patched build onto Maverick server. vnc_listen set to 0.0.0.0
in /etc/libvirt/qemu.conf
Set vnc_password=""' with vnc_tls=1 in /etc/libvirt/qemu.conf and
confirmed that the lanched server now rejects authentication for any
password, whereas it turned off authentication and encryption com
** Patch added: "qemu-kvm_0.12.5+noroms-0ubuntu7.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/+attachment/1812796/+files/qemu-kvm_0.12.5%2Bnoroms-0ubuntu7.2.debdiff
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Serv
** Branch linked: lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu-
kvm.fix-697197
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in li
The solution to this problem is to reverse the commit
52c18be9e99dabe295321153fda7fce9f76647ac in the main Qemu archive.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
** Also affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
U
CVE issued putting the onus squarely on qemu's shoulders.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-0011
** Changed in: libvirt (Ubuntu)
Status: Confirmed => Invalid
** Changed in: qemu-kvm (Ubuntu)
Status: New => Confirmed
** Bug watch added: Red Hat B
When I say in the clear, the libvirt guys think they're in the clear.
Checked the qemu source and there is no fix for this problem. Could be a
change of behaviour.
** Changed in: libvirt (Ubuntu)
Status: Invalid => Confirmed
--
You received this bug notification because you are a member
Libvirt is in the clear on this one. It is a mild security issue
introduced into QEMU.
** Changed in: libvirt (Ubuntu)
Status: Confirmed => Invalid
** Also affects: qemu-kvm (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a membe
>From the libvirt list
"The behaviour you're seeing is a bug recently introduced in
> the QEMU monitor password command handling by QEMU GIT repo
> changeset 52c18be9e99dabe295321153fda7fce9f76647ac.
> "
On 7 January 2011 14:41, Serge Hallyn <697...@bugs.launchpad.net> wrote:
> ** Changed in: li
** Changed in: libvirt (Ubuntu)
Assignee: (unassigned) => Serge Hallyn (serge-hallyn)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access
Thanks for taking the time to report this bug and helping to make Ubuntu
better.
The feature itself may be low priority, bug getting the comment in the
qemu.conf file fixed so that no admins get caught by surprise seems like
high priority. I see no activity in the upstream bug yet, though, so
wil
** Bug watch added: Red Hat Bugzilla #667097
https://bugzilla.redhat.com/show_bug.cgi?id=667097
** Also affects: libvirt via
https://bugzilla.redhat.com/show_bug.cgi?id=667097
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ub
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
45 matches
Mail list logo
