Security update for libvirt SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:1944-1 Final 1 1 2016-08-03T13:01:31Z current 2016-08-03T13:01:31Z 2016-08-03T13:01:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libvirt This update for libvirt fixes the following issues: Security issues fixed: - CVE-2016-5008: empty VNC password disables authentication (bsc#987527) Bugs fixed: - bsc#970906: Fixed a race condition in xenstore event handling. - bsc#952889: Change hap setting to align with Xen behavior. - Fixed 'make check' failures. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-libvirt-12674,slessp4-libvirt-12674 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20161944-1/ Link for SUSE-SU-2016:1944-1 https://lists.suse.com/pipermail/sle-security-updates/2016-August/002174.html E-Mail link for SUSE-SU-2016:1944-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/952889 SUSE Bug 952889 https://bugzilla.suse.com/970906 SUSE Bug 970906 https://bugzilla.suse.com/987527 SUSE Bug 987527 https://www.suse.com/security/cve/CVE-2016-5008/ SUSE CVE CVE-2016-5008 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 libvirt-devel-1.2.5-15.3 libvirt-devel-32bit-1.2.5-15.3 libvirt-1.2.5-15.3 libvirt-client-1.2.5-15.3 libvirt-client-32bit-1.2.5-15.3 libvirt-doc-1.2.5-15.3 libvirt-lock-sanlock-1.2.5-15.3 perl-Sys-Virt-1.2.5-4.2 libvirt-1.2.5-15.3 as a component of SUSE Linux Enterprise Server 11 SP4 libvirt-client-1.2.5-15.3 as a component of SUSE Linux Enterprise Server 11 SP4 libvirt-client-32bit-1.2.5-15.3 as a component of SUSE Linux Enterprise Server 11 SP4 libvirt-doc-1.2.5-15.3 as a component of SUSE Linux Enterprise Server 11 SP4 libvirt-lock-sanlock-1.2.5-15.3 as a component of SUSE Linux Enterprise Server 11 SP4 perl-Sys-Virt-1.2.5-4.2 as a component of SUSE Linux Enterprise Server 11 SP4 libvirt-1.2.5-15.3 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libvirt-client-1.2.5-15.3 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libvirt-client-32bit-1.2.5-15.3 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libvirt-doc-1.2.5-15.3 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libvirt-lock-sanlock-1.2.5-15.3 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 perl-Sys-Virt-1.2.5-4.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libvirt-devel-1.2.5-15.3 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libvirt-devel-32bit-1.2.5-15.3 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. CVE-2016-5008 SUSE Linux Enterprise Server 11 SP4:libvirt-1.2.5-15.3 SUSE Linux Enterprise Server 11 SP4:libvirt-client-1.2.5-15.3 SUSE Linux Enterprise Server 11 SP4:libvirt-client-32bit-1.2.5-15.3 SUSE Linux Enterprise Server 11 SP4:libvirt-doc-1.2.5-15.3 SUSE Linux Enterprise Server 11 SP4:libvirt-lock-sanlock-1.2.5-15.3 SUSE Linux Enterprise Server 11 SP4:perl-Sys-Virt-1.2.5-4.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libvirt-1.2.5-15.3 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libvirt-client-1.2.5-15.3 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libvirt-client-32bit-1.2.5-15.3 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libvirt-doc-1.2.5-15.3 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libvirt-lock-sanlock-1.2.5-15.3 SUSE Linux Enterprise Server for SAP Applications 11 SP4:perl-Sys-Virt-1.2.5-4.2 SUSE Linux Enterprise Software Development Kit 11 SP4:libvirt-devel-1.2.5-15.3 SUSE Linux Enterprise Software Development Kit 11 SP4:libvirt-devel-32bit-1.2.5-15.3 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161944-1/ https://www.suse.com/security/cve/CVE-2016-5008.html CVE-2016-5008 https://bugzilla.suse.com/987527 SUSE Bug 987527