Libvirt Security Notice: LSN-2017-0002
        ======================================

       Summary: TLS certificate verification disabled for clients
   Reported on: 20171005
  Published on: 20171016
      Fixed on: 20171016
   Reported by: Daniel P. Berrange <berrange@redhat.com>
    Patched by: Daniel P. Berrange <berrange@redhat.com>
      See also: CVE-2017-1000256

Description
-----------

The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the TLS servers in QEMU request & verify
certificates from clients. This works as a simple access control
system for QEMU servers by requiring the CA to issue certs to
permitted clients. This use of client certificates is disabled by
default, since it requires extra work to issue client certificates.
Unfortunately the libvirt code was using these configuration
parameters when setting up both TLS clients and servers in QEMU. The
result was that TLS clients for character devices and disk devices
had verification turned off, meaning they would ignore any errors
while validating the server certificate.

Impact
------

A MITM attacker can attack any client connection made by QEMU's
character devices and disk devices which have TLS enabled. The
attacker can send an arbitrary certificate back to the client QEMU
and it will ignore all errors that result during validation.

Workaround
----------

Enable the 'default_tls_x509_verify' parameter in qemu.conf restart
libvirtd. This will trigger libvirt to turn on certificate
verification in QEMU clients. Unfortunately this will also turn on
use of client certificates in QEMU servers.

Affected product
----------------

        Name: libvirt
  Repository: https://gitlab.com/libvirt/libvirt

      Branch: master
   Broken in: v2.3.0
   Broken in: v2.4.0
   Broken in: v2.5.0
   Broken in: v3.0.0
   Broken in: v3.1.0
   Broken in: v3.2.0
   Broken in: v3.3.0
   Broken in: v3.4.0
   Broken in: v3.5.0
   Broken in: v3.6.0
   Broken in: v3.7.0
   Broken in: v3.8.0
    Fixed in: v3.9.0
   Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
    Fixed by: 441d3eb6d1be940a67ce45a286602a967601b157

      Branch: v3.0-maint
   Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
    Fixed by: 16daadc708be65c2681f54d33ac4004ccaf6e82d

      Branch: v3.2-maint
   Broken in: v3.2.1
   Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
    Fixed by: 9e6bc47bb541d8eea10cdd5704ea7f5e699bf0ba

      Branch: v3.7-maint
   Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
    Fixed by: dc6c41798d1eb5c52c75365ffa22f7672709dfa7