This bug was fixed in the package qemu-kvm - 0.13.0+noroms-0ubuntu13 --------------- qemu-kvm (0.13.0+noroms-0ubuntu13) natty; urgency=low
[ Neil Wilson <n...@aldur.co.uk> ] * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197) - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit 52c18be9 - CVE: 2011-0011 [ Dustin Kirkland ] * Updated patch to reflect the move of vnc.c to ui/vnc.c -- Dustin Kirkland <kirkl...@ubuntu.com> Fri, 11 Feb 2011 09:53:19 -0600 ** Changed in: qemu-kvm (Ubuntu Natty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/697197 Title: Empty password allows access to VNC in libvirt Status in libvirt virtualization API: Unknown Status in QEMU: Confirmed Status in qemu-kvm: Unknown Status in “libvirt” package in Ubuntu: Invalid Status in “qemu-kvm” package in Ubuntu: Fix Released Status in “libvirt” source package in Lucid: New Status in “qemu-kvm” source package in Lucid: In Progress Status in “libvirt” source package in Maverick: Invalid Status in “qemu-kvm” source package in Maverick: In Progress Status in “libvirt” source package in Natty: Invalid Status in “qemu-kvm” source package in Natty: Fix Released Bug description: The help in the /etc/libvirt/qemu.conf states "To allow access without passwords, leave this commented out. An empty string will still enable passwords, but be rejected by QEMU effectively preventing any use of VNC." yet setting: vnc_password="" allows access to the vnc console without any password prompt just as if it is hashed out completely. ProblemType: Bug DistroRelease: Ubuntu 10.10 Package: libvirt-bin 0.8.3-1ubuntu14 ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8 Uname: Linux 2.6.35-24-server x86_64 Architecture: amd64 Date: Tue Jan 4 12:18:35 2011 InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2) ProcEnviron: LANG=en_GB.UTF-8 SHELL=/bin/bash SourcePackage: libvirt