libvirt: TLS certificate verification disabled for clients (CVE-2017-1000256)
libvirt version 2.3.0 and later is vulnerable to a bad default
configuration of “verify-peer=no” passed to
QEMU by libvirt resulting in a failure to validate SSL/TLS certificates
by default.
References:
https://security.libvirt.org/2017/0002.html
https://nvd.nist.gov/vuln/detail/CVE-2017-1000256
Patches:
https://security.libvirt.org/2017/0002.html
(from redmine: issue id 8157, created on 2017-11-16, closed on 2017-11-21)
- Relations:
- child #8158 (closed)
- child #8159 (closed)