USN-3576-1

See a problem?
Source
https://ubuntu.com/security/notices/USN-3576-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-3576-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-3576-1
Related
Published
2018-02-20T19:20:53.639085Z
Modified
2018-02-20T19:20:53.639085Z
Summary
libvirt vulnerabilities
Details

Vivian Zhang and Christoph Anton Mitterer discovered that libvirt incorrectly disabled password authentication when the VNC password was set to an empty string. A remote attacker could possibly use this issue to bypass authentication, contrary to expectations. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5008)

Daniel P. Berrange discovered that libvirt incorrectly handled validating SSL/TLS certificates. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 17.10. (CVE-2017-1000256)

Daniel P. Berrange and Peter Krempa discovered that libvirt incorrectly handled large QEMU replies. An attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2018-5748)

Pedro Sampaio discovered that libvirt incorrectly handled the libnssdns.so module. An attacker in a libvirtlxc session could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-6764)

References

Affected packages

Ubuntu:14.04:LTS / libvirt

Package

Name
libvirt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2-0ubuntu13.1.26

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "libvirt-dev": "1.2.2-0ubuntu13.1.26",
            "libvirt-doc": "1.2.2-0ubuntu13.1.26",
            "libvirt0": "1.2.2-0ubuntu13.1.26",
            "libvirt-bin": "1.2.2-0ubuntu13.1.26"
        }
    ]
}

Ubuntu:16.04:LTS / libvirt

Package

Name
libvirt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.1-1ubuntu10.19

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "libvirt-dev": "1.3.1-1ubuntu10.19",
            "libvirt-doc": "1.3.1-1ubuntu10.19",
            "libvirt0": "1.3.1-1ubuntu10.19",
            "libvirt-bin": "1.3.1-1ubuntu10.19"
        }
    ]
}