Your message dated Thu, 17 Jul 2025 22:12:00 +0200
with message-id <[email protected]>
and subject line Re: Accepted virtualbox 7.1.12-dfsg-1 (source) into unstable
has caused the Debian Bug report #1109373,
regarding virtualbox: CVE-2025-53024 CVE-2025-53025 CVE-2025-53026
CVE-2025-53027 CVE-2025-53028 CVE-2025-53029 CVE-2025-53030
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: virtualbox
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for virtualbox.
CVE-2025-53024[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-53025[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in unauthorized access to critical
| data or complete access to all Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
CVE-2025-53026[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in unauthorized access to critical
| data or complete access to all Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
CVE-2025-53027[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-53028[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-53029[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. Successful
| attacks of this vulnerability can result in unauthorized read
| access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1
| Base Score 2.3 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
CVE-2025-53030[6]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in unauthorized access to critical
| data or complete access to all Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53024
https://www.cve.org/CVERecord?id=CVE-2025-53024
[1] https://security-tracker.debian.org/tracker/CVE-2025-53025
https://www.cve.org/CVERecord?id=CVE-2025-53025
[2] https://security-tracker.debian.org/tracker/CVE-2025-53026
https://www.cve.org/CVERecord?id=CVE-2025-53026
[3] https://security-tracker.debian.org/tracker/CVE-2025-53027
https://www.cve.org/CVERecord?id=CVE-2025-53027
[4] https://security-tracker.debian.org/tracker/CVE-2025-53028
https://www.cve.org/CVERecord?id=CVE-2025-53028
[5] https://security-tracker.debian.org/tracker/CVE-2025-53029
https://www.cve.org/CVERecord?id=CVE-2025-53029
[6] https://security-tracker.debian.org/tracker/CVE-2025-53030
https://www.cve.org/CVERecord?id=CVE-2025-53030
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: virtualbox
Source-Version: 7.1.12-dfsg-1
I think this fixes all of the recent CVEs from the Oracle CPU.
Closing the bug manually.
Regards,
Salvatore
On Thu, Jul 17, 2025 at 04:07:41PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Thu, 17 Jul 2025 17:50:19 +0200
> Source: virtualbox
> Built-For-Profiles: noudeb
> Architecture: source
> Version: 7.1.12-dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Virtualbox Team <[email protected]>
> Changed-By: Gianfranco Costamagna <[email protected]>
> Changes:
> virtualbox (7.1.12-dfsg-1) unstable; urgency=medium
> .
> * New upstream version 7.1.12-dfsg
> Checksums-Sha1:
> a640a9a0870b299ea2afd8b1af9de01f911a15f7 3811 virtualbox_7.1.12-dfsg-1.dsc
> c5da9631f4a08f45ec637e6fc4c8ffc033d1f0d5 97867720
> virtualbox_7.1.12-dfsg.orig.tar.xz
> e0029a2951188a85b482f099755b18196f8ee259 79340
> virtualbox_7.1.12-dfsg-1.debian.tar.xz
> 2a71f1dbc35daa3810dee7fa8e395ce5c9fe6a52 11137
> virtualbox_7.1.12-dfsg-1_source.buildinfo
> Checksums-Sha256:
> f62b6368096f076ee0b6315c0b172fc9c5bcc45b1ba318e22572a5254ac269b6 3811
> virtualbox_7.1.12-dfsg-1.dsc
> 0f8f9aebe62f94442d4a6ad0cab48f2aab3ca4ff53c8a433af651bc9379b2121 97867720
> virtualbox_7.1.12-dfsg.orig.tar.xz
> 7b88a23522104edb0a86e221b11edf4f29c4c82b9a5348bc59a3da7598595b85 79340
> virtualbox_7.1.12-dfsg-1.debian.tar.xz
> 317f73ea366c471f4a6310fabe90856a5bb37e5783dd7087eaf7bf2127c274d1 11137
> virtualbox_7.1.12-dfsg-1_source.buildinfo
> Files:
> c4559ee37f4083eda19f0122e14e6cd3 3811 contrib/misc optional
> virtualbox_7.1.12-dfsg-1.dsc
> 465649f4fa750a79ebda67eeead2284b 97867720 contrib/misc optional
> virtualbox_7.1.12-dfsg.orig.tar.xz
> 864ad2693d269bd116abc4a55008f83d 79340 contrib/misc optional
> virtualbox_7.1.12-dfsg-1.debian.tar.xz
> 5cfd0f9d887bdd69dcedcc1095f4f12d 11137 contrib/misc optional
> virtualbox_7.1.12-dfsg-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmh5HQAACgkQ808JdE6f
> XdlRchAA29+m5k7ZkuZ5/T/9CoxD4MvlGVpLLj7hWk8AFFODKDfHiEn1vR7xR4Qf
> RmDIK/Z6p/fq6Snxon1iZMxFH8gxe7hsv0RelrTUrwXts+QpEzdQEN8Bma93M/mI
> Bdo1q7GKYQlAHEbA1C1cOg9eULwRtLcAV6OD/5CWaY7UUe/HQNZ95lskqIF1ecrJ
> hwSpGC9/rr7wOi84snUW89KtQRIdEcSHm0zN9AJ6WdMi9JJzHdAYbZfNet5J8uRl
> rSfpH18qyQeS0vMnc5xbMT/S5JhIF28Lv/86vU3Oj/S1FkIK9giCg1NqRcJeucRg
> F1W4kZPZbL/kt/hF2io7uQGxb5bmvZF3uB4rD9YjAyTRKeHHoKt+UMkndk2r3TlN
> 3J2dEMCWSkZjSd9ZTg8rhVKIrWxbFNEx3y9yzyER1n8JqaS2pmwTIGDZh/43vp9B
> 63K/2pT+GSepRFaTIcd9rDpvexD78bgrMeaBhZ1KHcVJnc5UdrMzpoZSqDqPrPki
> KbbqABJeh7EFx+4/lMZK9ZyEPPNc6LYY1dKs1ALZLplueQ/GiksnTgxYcs012MfY
> f1AUdeYG3dHe0cum3iFxp45RYL9OpeHV7wqnAEwtrIGHzLa7GAEYl3rpeg2fu8yl
> 78RH7k9KhciLBWtKJiAlBaWWF2n7GyaC4PRXSTI1sCLfkBX+Shw=
> =e+bX
> -----END PGP SIGNATURE-----
>
--- End Message ---
