Debian Security Advisory
DLA-541-1 libvirt -- LTS security update
- Date Reported:
- 01 Jul 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-5008.
- More information:
It was discovered that there was a password policy issue in libvirt, a library for interfacing with different virtualization systems.
Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behave like that. VNC would happily accept the empty password. We enforce the behavior by setting password expiration to
For Debian 7
Wheezy, this issue has been fixed in libvirt version 0.9.12.3-1+deb7u2.
We recommend that you upgrade your libvirt packages.