Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC password does not work as documented in Libvirt, a virtualisation abstraction library. When the password on a VNC server is set to the empty string, authentication on the VNC server will be disabled, allowing any user to connect, despite the documentation declaring that setting an empty password for the VNC server prevents all client connections. With this update the behaviour is enforced by setting the password expiration to now. For the stable distribution (jessie), this problem has been fixed in version 1.2.9-9+deb8u3. For the unstable distribution (sid), this problem has been fixed in version 2.0.0-1. We recommend that you upgrade your libvirt packages.
Vivian Zhang and Christoph Anton Mitterer discovered that setting an
empty VNC password does not work as documented in Libvirt, a
virtualisation abstraction library. When the password on a VNC server is
set to the empty string, authentication on the VNC server will be
disabled, allowing any user to connect, despite the documentation
declaring that setting an empty password for the VNC server prevents all
client connections. With this update the behaviour is enforced by
setting the password expiration to now
.
For the stable distribution (jessie), this problem has been fixed in version 1.2.9-9+deb8u3.
For the unstable distribution (sid), this problem has been fixed in version 2.0.0-1.
We recommend that you upgrade your libvirt packages.