Bug#785424: Re: [vbox-dev] CVE-2015-3456 aka VENOM
On Tue, May 19, 2015 at 09:36:45AM +, Gianfranco Costamagna wrote: Hi Debian security team, can we please followup with the two uploads then? I'm attaching the two debdiffs, Ok, please upload. Jessie needs to be build with -sa since virtualbox is new in jessie-security. I'll take care of the DSA. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#785424: Re: [vbox-dev] CVE-2015-3456 aka VENOM
Hi Gianfranco, On Tuesday 19 May 2015 09:17:13 Gianfranco Costamagna wrote: Hi Frank, are you sure the bug is really fixed? the qemu patch seems to be different from the virtualbox one, and seems that the affected code is not fixed http://git.qemu.org/?p=qemu.git;a=blobdiff;f=hw/block/fdc.c;h=d8a8edd936f42 d4b1d801c996932668e456b5896;hp=f72a39216347e722496797555db9f208b0c5b4b2;hb=e 907746266721f305d67bc0718795fedee2e824c;hpb=968bb75c348a401b85e08d5eb1887a3e 6c3185f5 e.g. https://security-tracker.debian.org/tracker/CVE-2015-3456 http://xenbits.xen.org/xsa/advisory-133.html the VirtualBox code is inherited from Qemu but the code is not the same. Yes, we are sure the bug is fixed in VBox 4.3.28. Kind regards, Frank -- Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany ORACLE Deutschland B.V. Co. KG Hauptverwaltung: Riesstraße 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#785424: Re: [vbox-dev] CVE-2015-3456 aka VENOM
Hi Debian security team, can we please followup with the two uploads then? I'm attaching the two debdiffs, chers, Gianfranco Il Martedì 19 Maggio 2015 11:27, Frank Mehnert frank.mehn...@oracle.com ha scritto: Hi Gianfranco, On Tuesday 19 May 2015 09:17:13 Gianfranco Costamagna wrote: Hi Frank, are you sure the bug is really fixed? the qemu patch seems to be different from the virtualbox one, and seems that the affected code is not fixed http://git.qemu.org/?p=qemu.git;a=blobdiff;f=hw/block/fdc.c;h=d8a8edd936f42 d4b1d801c996932668e456b5896;hp=f72a39216347e722496797555db9f208b0c5b4b2;hb=e 907746266721f305d67bc0718795fedee2e824c;hpb=968bb75c348a401b85e08d5eb1887a3e 6c3185f5 e.g. https://security-tracker.debian.org/tracker/CVE-2015-3456 http://xenbits.xen.org/xsa/advisory-133.html the VirtualBox code is inherited from Qemu but the code is not the same. Yes, we are sure the bug is fixed in VBox 4.3.28. Kind regards, Frank -- Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany ORACLE Deutschland B.V. Co. KG Hauptverwaltung: Riesstraße 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher jessie-debdiff Description: Binary data wheezy-debdiff Description: Binary data