Bug#785424: Re: [vbox-dev] CVE-2015-3456 aka VENOM

2015-05-20 Thread Moritz Mühlenhoff
On Tue, May 19, 2015 at 09:36:45AM +, Gianfranco Costamagna wrote:
 Hi Debian security team, can we please followup with the two uploads then?
 
 I'm attaching the two debdiffs,

Ok, please upload. Jessie needs to be build with -sa since virtualbox is
new in jessie-security.

I'll take care of the DSA.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Bug#785424: Re: [vbox-dev] CVE-2015-3456 aka VENOM

2015-05-19 Thread Frank Mehnert
Hi Gianfranco,

On Tuesday 19 May 2015 09:17:13 Gianfranco Costamagna wrote:
 Hi Frank, are you sure the bug is really fixed?
 
 the qemu patch seems to be different from the virtualbox one, and seems that
 the affected code is not fixed
 http://git.qemu.org/?p=qemu.git;a=blobdiff;f=hw/block/fdc.c;h=d8a8edd936f42
 d4b1d801c996932668e456b5896;hp=f72a39216347e722496797555db9f208b0c5b4b2;hb=e
 907746266721f305d67bc0718795fedee2e824c;hpb=968bb75c348a401b85e08d5eb1887a3e
 6c3185f5
 
 
 e.g.
 https://security-tracker.debian.org/tracker/CVE-2015-3456
 http://xenbits.xen.org/xsa/advisory-133.html

the VirtualBox code is inherited from Qemu but the code is not the same.
Yes, we are sure the bug is fixed in VBox 4.3.28.

Kind regards,

Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V.  Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

ORACLE Deutschland B.V.  Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Bug#785424: Re: [vbox-dev] CVE-2015-3456 aka VENOM

2015-05-19 Thread Gianfranco Costamagna
Hi Debian security team, can we please followup with the two uploads then?

I'm attaching the two debdiffs,

chers,

Gianfranco




Il Martedì 19 Maggio 2015 11:27, Frank Mehnert frank.mehn...@oracle.com ha 
scritto:
Hi Gianfranco,

On Tuesday 19 May 2015 09:17:13 Gianfranco Costamagna wrote:
 Hi Frank, are you sure the bug is really fixed?
 
 the qemu patch seems to be different from the virtualbox one, and seems that
 the affected code is not fixed
 http://git.qemu.org/?p=qemu.git;a=blobdiff;f=hw/block/fdc.c;h=d8a8edd936f42
 d4b1d801c996932668e456b5896;hp=f72a39216347e722496797555db9f208b0c5b4b2;hb=e
 907746266721f305d67bc0718795fedee2e824c;hpb=968bb75c348a401b85e08d5eb1887a3e
 6c3185f5
 
 
 e.g.
 https://security-tracker.debian.org/tracker/CVE-2015-3456
 http://xenbits.xen.org/xsa/advisory-133.html

the VirtualBox code is inherited from Qemu but the code is not the same.
Yes, we are sure the bug is fixed in VBox 4.3.28.

Kind regards,


Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V.  Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

ORACLE Deutschland B.V.  Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher


jessie-debdiff
Description: Binary data


wheezy-debdiff
Description: Binary data