Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Forwarding the email from security team. the debdiff is the new iso file and a new changelog entry, nothing more. you can grab the file from here http://debomatic-amd64.debian.net/distribution#stable/virtualbox-guest-additions-iso/4.3.36-1+deb8u1/buildlog this is the changelog entry diff -Nru virtualbox-guest-additions-iso-4.3.18/debian/changelog virtualbox-guest-additions-iso-4.3.36/debian/changelog --- virtualbox-guest-additions-iso-4.3.18/debian/changelog 2015-03-26 11:39:19.000000000 +0100 +++ virtualbox-guest-additions-iso-4.3.36/debian/changelog 2016-07-16 13:19:14.000000000 +0200 @@ -1,3 +1,14 @@ +virtualbox-guest-additions-iso (4.3.36-1+deb8u1) jessie; urgency=medium + + * New upstream bugfix release. + - Addressed CVE-2016-0592, + CVE-2016-0495, CVE-2015-8104, + CVE-2015-7183, CVE-2015-5307, + CVE-2015-7183, CVE-2015-4813, + CVE-2015-4896, CVE-2015-3456 + + -- Gianfranco Costamagna <locutusofb...@debian.org> Fri, 15 Jul 2016 18:11:50 +0200 + virtualbox-guest-additions-iso (4.3.18-3) unstable; urgency=high * Reuploading the previous package, the -2 got removed because of Binary files /tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.18.iso and /tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.18.iso differ Binary files /tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.36.iso and /tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.36.iso differ cheers, Gianfranco Il Venerdì 15 Luglio 2016 20:25, Salvatore Bonaccorso <car...@debian.org> ha scritto: Hi Gianfranco, On Fri, Jul 15, 2016 at 04:10:38PM +0000, Gianfranco Costamagna wrote: > Hi Security Team, a while ago we got virtualbox updated from 4.3.18 > to 4.3.36 as security > upload. > > This was a complete success, but now we have two "issues" 1) there > is a mismatch between virtualbox and virtualbox-guest-additions-iso > packages (this isn't a big issue, since it is just a warning) > > > 2) the guest-additions-iso package is an iso file that contains some > source code (from virtualbox) and builds kernel modules and some > tools used in the guest machines. > > I don't know, but it might be affected by some/many of the same CVEs > that we fixed in virtualbox, so I think it is a sane idea to have a > security upload also for this package. > > What is your opinion? I can upload a 4.3.36 in a few minutes if > needed, it is just a matter of packing an iso and creating a > changelog entry. The package beeing non-free in all supported suites is not really supported via security.d.o. Could you contact the stable release managers to have an update sheduled via a point release? Cf. https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable Regards, Salvatore
debdiff
Description: Binary data