Description
It was found that the libvirt daemon, when using RBD (RADOS Block Device),
leaked private credentials to the process list. A local attacker could use this
flaw to perform certain privileged operations within the cluster.
(CVE-2015-5160)
* A path-traversal flaw was found in the way the libvirt daemon handled
filesystem names for storage volumes. A libvirt user with privileges to create
storage volumes and without privileges to create and modify domains could
possibly use this flaw to escalate their privileges. (CVE-2015-5313)
* It was found that setting a VNC password to an empty string in libvirt did not
disable all access to the VNC server as documented, instead it allowed access
with no authentication required. An attacker could use this flaw to access a VNC
server with an empty VNC password without any authentication. (CVE-2016-5008)