{"id":"MGASA-2016-0248","summary":"Updated libvirt packages fix security vulnerabilities","details":"Updated libvirt packages fix security vulnerability:\n\nVivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC\npassword does not work as documented in Libvirt, a virtualisation abstraction\nlibrary. When the password on a VNC server is set to the empty string,\nauthentication on the VNC server will be disabled, allowing any user to connect,\ndespite the documentation declaring that setting an empty password for the VNC\nserver prevents all client connections. With this update the behaviour is\nenforced by setting the password expiration to \"now\" (CVE-2016-5008).\n","modified":"2026-01-31T15:26:50.815996Z","published":"2016-07-08T19:50:51Z","related":["CVE-2016-5008"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0248.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=18873"},{"type":"REPORT","url":"http://security.libvirt.org/2016/0001.html"},{"type":"REPORT","url":"https://www.debian.org/security/2016/dsa-3613"}],"affected":[{"package":{"name":"libvirt","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/libvirt?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.9.3-1.4.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0248.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}