Ubuntu Security Notice 3576-1 - Vivian Zhang and Christoph Anton Mitterer discovered that libvirt incorrectly disabled password authentication when the VNC password was set to an empty string. A remote attacker could possibly use this issue to bypass authentication, contrary to expectations. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Daniel P. Berrange discovered that libvirt incorrectly handled validating SSL/TLS certificates. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 17.10. Various other issues were also addressed.
90c6d4cdd362e55904c6d76f4118ef039e8e85b0aab04a6669ee178da97eb658
Red Hat Security Advisory 2016-2577-02 - The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
118b2a68f087d0b881f87bbe5c345b76866347fea54cab5d7b90899f14c20513
Debian Linux Security Advisory 3613-1 - Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC password does not work as documented in Libvirt, a virtualisation abstraction library. When the password on a VNC server is set to the empty string, authentication on the VNC server will be disabled, allowing any user to connect, despite the documentation declaring that setting an empty password for the VNC server prevents all client connections. With this update the behaviour is enforced by setting the password expiration to "now".
40eb5793bb6cd89796053333ac3de675058f4fe68e4a83f76ae3ad3bb8c56d4e