Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi all, so to sum everything up: experimental: NOT AFFECTED. jessie: fixed all of them by disabling the code (attached jessie-debdiff) wheezy: fixed CVE-2015-0377, CVE-2015-0418 wheezy-bpo: I propose to backport the new 4.3.18 into bpo when it reaches testing. squeeze: no virtualbox there squeeze-bpo: I propose to backport kbuild and then virtualbox 4.1 or 4.3 from wheezy-jessie. Attached the debdiffs thanks again Frank for your help! cheers, Gianfranco wheezy-debdiff Description: Binary data jessie-debdiff Description: Binary data
Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi, On Wednesday 21 January 2015 18:55:40 Ritesh Raj Sarraf wrote: The recently declared CVEs for VBox have fixes mentioned only in the 4.3.20 release. Debian Jessie is frozen, and for it, we have targeted the 4.3.18 release. Do you have the broken out patches that fix the vulnerabilities ? the most CVEs from that CPU are related to the experimental VMSVGA implementation. This code is not documented and not announced and regular users will not use it. Therefore I suggest you to just disable that code by setting VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D= This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589, CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit lengthy, therefore disabling this code is IMO the best solution. CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older) CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older) CVE-2014-0224: this is related to OpenSSL and therefore not a problem for Linux distributions as you compile your code against the distro-specific OpenSSL implementation. Frank -- Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany Hauptverwaltung: Riesstr. 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Geschäftsführer: Jürgen Kunz Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi Frank the most CVEs from that CPU are related to the experimental VMSVGA implementation. This code is not documented and not announced and regular users will not use it. Therefore I suggest you to just disable that code by setting VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D= This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589, CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit lengthy, therefore disabling this code is IMO the best solution. I presume starting from version 4.0 everything needs to be patched by disabling it? CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older) CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older) do you have any patch for = 4.2.x then? we have in the archive (debian and ubuntu) 4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18 4.3.20 (not affected at all I presume) Frank-- Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany Hauptverwaltung: Riesstr. 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Geschäftsführer: Jürgen Kunz Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org