CVE-2013-6434

Publication date 24 January 2014

Last updated 24 July 2024

Ubuntu priority

The remote-viewer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.3, when using a native SPICE client invocation method, initially makes insecure connections to the SPICE server, which allows man-in-the-middle attackers to spoof the SPICE server.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
spice	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release

How can I get the fixes?
What do statuses mean?

Notes

seth-arnold

Insufficient details were provided to determine where the fault is -- the Red Hat update is to their rhevm package -- so I've marked spice as the involved package until this can be researched further.

mdeslaur

possibly https://github.com/oVirt/ovirt-engine/commit/f39cf23b6fedc924d054e3178242388e52a3c7ed likely rhevm specific

References

MITRE
NVD
Launchpad
Debian

Other references

https://rhn.redhat.com/errata/RHSA-2014-0038.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6434
https://www.cve.org/CVERecord?id=CVE-2013-6434