|Description||Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
|Debian Bugs||509882, 509997|
Vulnerable and fixed packages
The table below lists information on source packages.
|qemu (PTS)||jessie (security), jessie||1:2.1+dfsg-12+deb8u6||fixed|
|stretch (security), stretch||1:2.8+dfsg-6+deb9u4||fixed|
The information below is based on the following data on fixed versions.
[etch] - qemu <not-affected> (Vulnerable code not present)
[lenny] - kvm <no-dsa> (Minor issue)