[3.5] libvirt: TLS certificate verification disabled for clients (CVE-2017-1000256)
libvirt version 2.3.0 and later is vulnerable to a bad default
configuration of “verify-peer=no” passed to
QEMU by libvirt resulting in a failure to validate SSL/TLS certificates
by default.
References:
https://security.libvirt.org/2017/0002.html
https://nvd.nist.gov/vuln/detail/CVE-2017-1000256
Patches:
https://security.libvirt.org/2017/0002.html
(from redmine: issue id 8159, created on 2017-11-16, closed on 2017-11-21)
- Relations:
- parent #8157 (closed)
- Changesets:
- Revision 35d30cef by Francesco Colista on 2017-11-21T03:49:02Z:
main/libvirt: security fix (CVE 2017-1000256). Fixes #8159