[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: qemu Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Branch linked: lp:ubuntu/precise/qemu-kvm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Ubuntu 12.04 is also affected -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: qemu-kvm (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: qemu-kvm (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Bug watch added: Debian Bug tracker #611134 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134 ** Also affects: qemu-kvm (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Branch linked: lp:ubuntu/lucid-proposed/qemu-kvm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in Ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Branch linked: lp:ubuntu/maverick-updates/qemu-kvm ** Branch linked: lp:ubuntu/lucid-updates/qemu-kvm ** Branch linked: lp:ubuntu/karmic-security/qemu-kvm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Nothing left to do, unsubscribing ubuntu-security-sponsors. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.4 --- qemu-kvm (0.11.0-0ubuntu6.4) karmic-security; urgency=low * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197) - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit 52c18be9, thanks to Neil Wilson. - CVE-2011-0011 -- Dustin KirklandFri, 11 Feb 2011 17:46:26 -0600 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
This bug was fixed in the package qemu-kvm - 0.12.5+noroms-0ubuntu7.2 --- qemu-kvm (0.12.5+noroms-0ubuntu7.2) maverick-security; urgency=low [ Dustin Kirkland ] * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197). - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit 52c18be9, thanks to Neil Wilson. - CVE-2011-0011 [ Kees Cook ] * debian/rules: disable parallel build; fix FTBFS. -- Kees CookFri, 11 Feb 2011 15:52:12 -0800 ** Changed in: qemu-kvm (Ubuntu Maverick) Status: Fix Committed => Fix Released ** Changed in: qemu-kvm (Ubuntu Lucid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
This bug was fixed in the package qemu-kvm - 0.12.3+noroms-0ubuntu9.4 --- qemu-kvm (0.12.3+noroms-0ubuntu9.4) lucid-security; urgency=low * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197) - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit 52c18be9, thanks to Neil Wilson. - CVE-2011-0011 -- Dustin KirklandFri, 11 Feb 2011 09:57:30 -0600 ** Changed in: qemu-kvm (Ubuntu Karmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: qemu-kvm (Ubuntu Maverick) Assignee: Ubuntu Security Team (ubuntu-security) => Kees Cook (kees) ** Changed in: qemu-kvm (Ubuntu Lucid) Assignee: Ubuntu Security Team (ubuntu-security) => Kees Cook (kees) ** Changed in: qemu-kvm (Ubuntu Karmic) Importance: Undecided => Medium ** Changed in: qemu-kvm (Ubuntu Karmic) Assignee: (unassigned) => Kees Cook (kees) ** Changed in: qemu-kvm (Ubuntu Lucid) Status: In Progress => Fix Committed ** Changed in: qemu-kvm (Ubuntu Maverick) Status: In Progress => Fix Committed ** Changed in: qemu-kvm (Ubuntu Karmic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Attaching debdiff for karmic. ** Patch added: "697197.karmic.debdiff" https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/+attachment/1844267/+files/697197.karmic.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Thanks for preparing the debdiffs! It looks like karmic is vulnerable
too, so we'll need that as well. I'll update the debdiffs to use proper
DEP-3 and fix up the formatting of the changelogs a bit ("CVE-" vs "CVE:
"), and get these building.
** Also affects: libvirt (Ubuntu Karmic)
Importance: Undecided
Status: New
** Also affects: qemu-kvm (Ubuntu Karmic)
Importance: Undecided
Status: New
** Changed in: libvirt (Ubuntu Karmic)
Status: New => Invalid
** Changed in: qemu-kvm (Ubuntu Karmic)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/697197
Title:
Empty password allows access to VNC in libvirt
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: libvirt (Ubuntu Natty) Importance: High => Undecided ** Changed in: libvirt (Ubuntu Natty) Assignee: Serge Hallyn (serge-hallyn) => (unassigned) ** Changed in: qemu-kvm (Ubuntu Maverick) Milestone: maverick-updates => None ** Changed in: libvirt (Ubuntu Lucid) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Branch linked: lp:ubuntu/qemu-kvm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Branch linked: lp:~kirkland/ubuntu/natty/qemu-kvm/fix-build -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Attaching Lucid debdiff. ** Patch added: "697197.lucid.debdiff" https://bugs.launchpad.net/ubuntu/lucid/+source/qemu-kvm/+bug/697197/+attachment/1843553/+files/697197.lucid.debdiff ** Changed in: qemu-kvm (Ubuntu Lucid) Assignee: Dustin Kirkland (kirkland) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
This bug was fixed in the package qemu-kvm - 0.13.0+noroms-0ubuntu13 --- qemu-kvm (0.13.0+noroms-0ubuntu13) natty; urgency=low [ Neil Wilson ] * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197) - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit 52c18be9 - CVE: 2011-0011 [ Dustin Kirkland ] * Updated patch to reflect the move of vnc.c to ui/vnc.c -- Dustin KirklandFri, 11 Feb 2011 09:53:19 -0600 ** Changed in: qemu-kvm (Ubuntu Natty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Confirmed that the affected code is also in Lucid. Adding a task for that, and attaching a debdiff for lucid-security too. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Uploading to Natty now... ** Also affects: libvirt (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: qemu-kvm (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: qemu-kvm (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: qemu-kvm (Ubuntu Lucid) Status: New => In Progress ** Changed in: qemu-kvm (Ubuntu Lucid) Assignee: (unassigned) => Dustin Kirkland (kirkland) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Marking the libvirt tasks "invalid", as upstream libvirt has correctly pointed out that this bug is in qemu, and not libvirt: * https://bugzilla.redhat.com/show_bug.cgi?id=667097 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
The patch needs to go into Lucid as well. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: libvirt (Ubuntu Maverick) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
@security team, Could you please sponsor this to the maverick-security queue? Thanks! ** Patch added: "697197.debdiff" https://bugs.launchpad.net/ubuntu/maverick/+source/qemu-kvm/+bug/697197/+attachment/1843528/+files/697197.debdiff ** Changed in: qemu-kvm (Ubuntu Maverick) Assignee: Dustin Kirkland (kirkland) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Looks good, thanks for doing this, Neil. I'm going to update it just slightly, as this debdiff will need to go through the security queue, since there's an associated CVE. I'll prep that upload and the security team will sponsor it into maverick- security. I'll get it uploaded to natty now. The last thing I need you to do is to email your patch to the qemu-devel mailing list. The maintainers do not accept patches solely attached to bugs in Launchpad. Their processes require that you email the patch to the mailing list. Sorry for the run-around. Cheers! ** Changed in: qemu-kvm (Ubuntu Maverick) Importance: Undecided => Medium ** Changed in: qemu-kvm (Ubuntu Maverick) Status: New => In Progress ** Changed in: qemu-kvm (Ubuntu Maverick) Milestone: None => maverick-updates ** Changed in: qemu-kvm (Ubuntu Maverick) Assignee: (unassigned) => Dustin Kirkland (kirkland) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Also affects: libvirt (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: qemu-kvm (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: libvirt (Ubuntu Natty) Importance: High Assignee: Serge Hallyn (serge-hallyn) Status: Invalid ** Also affects: qemu-kvm (Ubuntu Natty) Importance: Medium Assignee: Dustin Kirkland (kirkland) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: qemu-kvm (Ubuntu) Importance: Undecided => Medium ** Changed in: qemu-kvm (Ubuntu) Status: Confirmed => In Progress ** Changed in: qemu-kvm (Ubuntu) Assignee: (unassigned) => Dustin Kirkland (kirkland) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: qemu Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
This fault probably affects all the current versions of qemu-kvm. It's present in 0.11 and the current qemu master branch. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Please sponsor for upload -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Installed patched build onto Maverick server. vnc_listen set to 0.0.0.0 in /etc/libvirt/qemu.conf Set vnc_password=""' with vnc_tls=1 in /etc/libvirt/qemu.conf and confirmed that the lanched server now rejects authentication for any password, whereas it turned off authentication and encryption completely before. Hashed out vnc_password and left vnc_tls=1 in /etc/libvirt/qemu.conf. Confirmed that the server uses anonymous auth with TLS. Allows the user on without a password. qemu-kvm launched with -vnc 0.0.0.0:0,tls,x509=/etc/pki/libvirt-vnc Hashed out vnc_tls=1. Confirmed server allows direct access to VNC. qemu-kvm launched with -vnc 0.0.0.0:0 Set vnc_password="". Confirmed server rejects authentication for any password, with no encryption. Again previously it had just let the user on. qemu-kvm launched with -vnc 0.0.0.0:0,password set vnc_password="password". Confirmed server accepts authentication with that password. qemu-kvm launched with -vnc 0.0.0.0:0,password -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Patch added: "qemu-kvm_0.12.5+noroms-0ubuntu7.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/+attachment/1812796/+files/qemu-kvm_0.12.5%2Bnoroms-0ubuntu7.2.debdiff ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Branch linked: lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu- kvm.fix-697197 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
The solution to this problem is to reverse the commit 52c18be9e99dabe295321153fda7fce9f76647ac in the main Qemu archive. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Also affects: qemu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
CVE issued putting the onus squarely on qemu's shoulders. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0011 ** Changed in: libvirt (Ubuntu) Status: Confirmed => Invalid ** Changed in: qemu-kvm (Ubuntu) Status: New => Confirmed ** Bug watch added: Red Hat Bugzilla #668589 https://bugzilla.redhat.com/show_bug.cgi?id=668589 ** Also affects: qemu-kvm via https://bugzilla.redhat.com/show_bug.cgi?id=668589 Importance: Unknown Status: Unknown ** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
When I say in the clear, the libvirt guys think they're in the clear. Checked the qemu source and there is no fix for this problem. Could be a change of behaviour. ** Changed in: libvirt (Ubuntu) Status: Invalid => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Libvirt is in the clear on this one. It is a mild security issue introduced into QEMU. ** Changed in: libvirt (Ubuntu) Status: Confirmed => Invalid ** Also affects: qemu-kvm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 697197] Re: Empty password allows access to VNC in libvirt
>From the libvirt list "The behaviour you're seeing is a bug recently introduced in > the QEMU monitor password command handling by QEMU GIT repo > changeset 52c18be9e99dabe295321153fda7fce9f76647ac. > " On 7 January 2011 14:41, Serge Hallyn <697...@bugs.launchpad.net> wrote: > ** Changed in: libvirt (Ubuntu) > Assignee: (unassigned) => Serge Hallyn (serge-hallyn) > > -- > You received this bug notification because you are a direct subscriber > of the bug. > https://bugs.launchpad.net/bugs/697197 > > Title: > Empty password allows access to VNC in libvirt > -- Neil Wilson -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => Serge Hallyn (serge-hallyn) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
Thanks for taking the time to report this bug and helping to make Ubuntu better. The feature itself may be low priority, bug getting the comment in the qemu.conf file fixed so that no admins get caught by surprise seems like high priority. I see no activity in the upstream bug yet, though, so will wait to see what feedback happens there. ** Changed in: libvirt (Ubuntu) Status: New => Confirmed ** Changed in: libvirt (Ubuntu) Importance: Undecided => Medium ** Changed in: libvirt (Ubuntu) Importance: Medium => High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
** Bug watch added: Red Hat Bugzilla #667097 https://bugzilla.redhat.com/show_bug.cgi?id=667097 ** Also affects: libvirt via https://bugzilla.redhat.com/show_bug.cgi?id=667097 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697197] Re: Empty password allows access to VNC in libvirt
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
