CVE-2013-6434

Publication date 24 January 2014

Last updated 24 July 2024


Ubuntu priority

The remote-viewer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.3, when using a native SPICE client invocation method, initially makes insecure connections to the SPICE server, which allows man-in-the-middle attackers to spoof the SPICE server.

Read the notes from the security team

Status

Package Ubuntu Release Status
spice 13.10 saucy
Not affected
13.04 raring
Not affected
12.10 quantal
Not affected
12.04 LTS precise
Not affected
10.04 LTS lucid Not in release

Notes


seth-arnold

Insufficient details were provided to determine where the fault is -- the Red Hat update is to their rhevm package -- so I've marked spice as the involved package until this can be researched further.


mdeslaur

possibly https://github.com/oVirt/ovirt-engine/commit/f39cf23b6fedc924d054e3178242388e52a3c7ed likely rhevm specific