Debian Security Advisory

DSA-3613-1 libvirt -- security update

Date Reported:
02 Jul 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-5008.
More information:

Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC password does not work as documented in Libvirt, a virtualisation abstraction library. When the password on a VNC server is set to the empty string, authentication on the VNC server will be disabled, allowing any user to connect, despite the documentation declaring that setting an empty password for the VNC server prevents all client connections. With this update the behaviour is enforced by setting the password expiration to now.

For the stable distribution (jessie), this problem has been fixed in version 1.2.9-9+deb8u3.

For the unstable distribution (sid), this problem has been fixed in version 2.0.0-1.

We recommend that you upgrade your libvirt packages.