Your message dated Mon, 27 Oct 2025 20:57:00 +0100
with message-id <[email protected]>
and subject line Re: Accepted virtualbox 7.2.4-dfsg-1 (source) into unstable
has caused the Debian Bug report #1118542,
regarding virtualbox: CVE-2025-61759 CVE-2025-61760 CVE-2025-62587
CVE-2025-62588 CVE-2025-62589 CVE-2025-62590 CVE-2025-62591 CVE-2025-62592
CVE-2025-62641
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: virtualbox
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for virtualbox.
CVE-2025-61759[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows low privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| access to critical data or complete access to all Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
CVE-2025-61760[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Difficult to exploit vulnerability
| allows low privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. Successful attacks require human interaction from a
| person other than the attacker and while the vulnerability is in
| Oracle VM VirtualBox, attacks may significantly impact additional
| products (scope change). Successful attacks of this vulnerability
| can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score
| 7.5 (Confidentiality, Integrity and Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).
CVE-2025-62587[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-62588[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-62589[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-62590[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-62591[6]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| access to critical data or complete access to all Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
CVE-2025-62592[7]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| access to critical data or complete access to all Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
CVE-2025-62641[8]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61759
https://www.cve.org/CVERecord?id=CVE-2025-61759
[1] https://security-tracker.debian.org/tracker/CVE-2025-61760
https://www.cve.org/CVERecord?id=CVE-2025-61760
[2] https://security-tracker.debian.org/tracker/CVE-2025-62587
https://www.cve.org/CVERecord?id=CVE-2025-62587
[3] https://security-tracker.debian.org/tracker/CVE-2025-62588
https://www.cve.org/CVERecord?id=CVE-2025-62588
[4] https://security-tracker.debian.org/tracker/CVE-2025-62589
https://www.cve.org/CVERecord?id=CVE-2025-62589
[5] https://security-tracker.debian.org/tracker/CVE-2025-62590
https://www.cve.org/CVERecord?id=CVE-2025-62590
[6] https://security-tracker.debian.org/tracker/CVE-2025-62591
https://www.cve.org/CVERecord?id=CVE-2025-62591
[7] https://security-tracker.debian.org/tracker/CVE-2025-62592
https://www.cve.org/CVERecord?id=CVE-2025-62592
[8] https://security-tracker.debian.org/tracker/CVE-2025-62641
https://www.cve.org/CVERecord?id=CVE-2025-62641
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: virtualbox
Source-Version: 7.2.4-dfsg-1
On Mon, Oct 27, 2025 at 06:52:47PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 27 Oct 2025 19:31:26 +0100
> Source: virtualbox
> Built-For-Profiles: noudeb
> Architecture: source
> Version: 7.2.4-dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Virtualbox Team <[email protected]>
> Changed-By: Gianfranco Costamagna <[email protected]>
> Changes:
> virtualbox (7.2.4-dfsg-1) unstable; urgency=medium
> .
> * New upstream version 7.2.4-dfsg
> * Refresh patches
> Checksums-Sha1:
> 0a05495587057f5155cc7b7fbc826f1d20377017 3820 virtualbox_7.2.4-dfsg-1.dsc
> 45e873722844fa4cc7e014af35ef2e6d838258f1 105014760
> virtualbox_7.2.4-dfsg.orig.tar.xz
> f70f3df75d8e55d6100a0458e4dae4c2fbd21608 83240
> virtualbox_7.2.4-dfsg-1.debian.tar.xz
> 8996caaf68e555570a7a4d4ce39596de79a02435 11334
> virtualbox_7.2.4-dfsg-1_source.buildinfo
> Checksums-Sha256:
> cbf8f485eb95b733b9d328b871ed115ab066bf88f8ffab7961586f0c50d44ac8 3820
> virtualbox_7.2.4-dfsg-1.dsc
> 0d4810d16977c9d2e8af14ae5d40b135dae3bb7ecc3f173bbfa2b33821fb9094 105014760
> virtualbox_7.2.4-dfsg.orig.tar.xz
> 9013cc81a64eaf4ffe78ad559bf4d0834b0db77c8b7f1ca4ae1f568a3e816182 83240
> virtualbox_7.2.4-dfsg-1.debian.tar.xz
> c0ddb30cb6de744b2bc666cf671bab1d892c6355b98ec8696c173d85f3965194 11334
> virtualbox_7.2.4-dfsg-1_source.buildinfo
> Files:
> 9cfe45e0971fdb77210c68362589894e 3820 contrib/misc optional
> virtualbox_7.2.4-dfsg-1.dsc
> f2648c5a5c7b412561c41d83f7119269 105014760 contrib/misc optional
> virtualbox_7.2.4-dfsg.orig.tar.xz
> da7a0e5226d7dc9be636c4c396372743 83240 contrib/misc optional
> virtualbox_7.2.4-dfsg-1.debian.tar.xz
> a3b9f1aeead3acbc78eaefd68248e52a 11334 contrib/misc optional
> virtualbox_7.2.4-dfsg-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmj/uuAACgkQ808JdE6f
> XdnHZxAAlsh32sge/LUKTE/mCq+94Wfo0iDpM+OuWtjJoVQGrZfslgQVCk5TzR7N
> 6yJ9ScWUHOY7KpEdW2TI/5b9Z4eA28eTU1fDwAuXA2wnWbXLmavxt2Lv1g6DKEtv
> C7n/tfwOJqDqZ0XEGrD28PYvr3jTLa+2GIK1700wlJ/1r0MsKLuuqIsc0h08pxYs
> SkRTY6fGBVZUCl2Auk2jh/7EDF2TbOTOmoyn5n4eof0zG9ywfpucYSiUrfMMc2KM
> aI4Cv+FXW9LjunfLpA9WdZXZmZi+GFymMhf22LT0lrSFwe7ysPNHWrOzhgFlpMTg
> c7p5Va4zbmvrUiR5Jx+Kctd1JG9UBTNl++KpqpJ1MQApIyMJJ0Vjl05TwlSUYDAb
> vBAM6txsbUj4Jum91EAziX6oZPXfpKwCNqn0NFArGotUgaKkldGAW69oxSCsjcVx
> mIJrPWm2EkJO9428YLcea8KmeALHpw5FFcq1GfGW6jMy1tT26C6YB2ulNEJuWiG4
> qkFY/O/AlqnbDbtrJT7dXt2RDB1No9Ie7Dgt4M0vinoYrlLFQPtDx69tkYOefGOc
> 7qyc7QNf33pKL55CFhMcwz9RajS4cYICysZReGPF6hoaUIuxqHVSHkp60Fza6G9+
> ZX/xC6EW2uy9HY8TwsmFn7OkZyaF3JVxizq8XG92nHBLqJyR4NY=
> =AyTP
> -----END PGP SIGNATURE-----
--- End Message ---
