Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Please excuse me for late reply - I missed your email initially somehow. 28.01.2011 00:59, Moritz Mühlenhoff wrote: [] Thanks for the verbose explanation. I've updated the Debian Security Tracker. While we're at it; could you please also look into

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

On Fri, Feb 04, 2011 at 01:35:11PM +0300, Michael Tokarev wrote: Please excuse me for late reply - I missed your email initially somehow. 28.01.2011 00:59, Moritz Mühlenhoff wrote: [] Thanks for the verbose explanation. I've updated the Debian Security Tracker. While we're at it;

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

user release.debian@packages.debian.org usertag 611134 squeeze-can-defer tag 611134 squeeze-ignore kthxbye On Tue, Jan 25, 2011 at 22:25:27 +0100, Moritz Muehlenhoff wrote: Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla:

Processed: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

disables all authentication There were no usertags set. Usertags are now: squeeze-can-defer. tag 611134 squeeze-ignore Bug #611134 [kvm] CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication Added tag(s) squeeze-ignore. kthxbye Stopping processing here

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

On Wed, Jan 26, 2011 at 08:56:06AM +0300, Michael Tokarev wrote: 26.01.2011 00:25, Moritz Muehlenhoff wrote: Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 Yes, I've

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

On Wed, Jan 26, 2011 at 08:56:06 +0300, Michael Tokarev wrote: Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. Intended by whom? Cheers, Julien signature.asc

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

On 26.01.2011 11:25, Julien Cristau wrote: On Wed, Jan 26, 2011 at 08:56:06 +0300, Michael Tokarev wrote: Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. Intended

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 The impact is not entirely obvious to me? Do I understand it correctly that a malicious application accessing a KVM instance could lock

Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

26.01.2011 00:25, Moritz Muehlenhoff wrote: Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 Yes, I've seen this even before CVE ID were assigned. The impact is not entirely