[vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Ritesh Raj Sarraf Wed, 21 Jan 2015 05:28:00 -0800

The recently declared CVEs for VBox have fixes mentioned only in the
4.3.20 release.


Debian Jessie is frozen, and for it, we have targeted the 4.3.18
release. Do you have the broken out patches that fix the vulnerabilities ?

--- Begin Message ---

On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
>
> No specific details available yet:
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
>
> Cheers,
>         Moritz
>

The following matrix is what I could grab.

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR

CVE-2014-6595   Oracle VM VirtualBox    None    VMSVGA device   No      3.2
Local   Low     Single  None    Partial+        Partial+        VirtualBox 
prior to
4.3.20  See Note 3
CVE-2014-6588   Oracle VM VirtualBox    None    VMSVGA device   No      3.2
Local   Low     Single  None    Partial+        Partial+        VirtualBox 
prior to
4.3.20  See Note 3
CVE-2014-6589   Oracle VM VirtualBox    None    VMSVGA device   No      3.2
Local   Low     Single  None    Partial+        Partial+        VirtualBox 
prior to
4.3.20  See Note 3
CVE-2014-6590   Oracle VM VirtualBox    None    VMSVGA device   No      3.2
Local   Low     Single  None    Partial+        Partial+        VirtualBox 
prior to
4.3.20  See Note 3
CVE-2015-0427   Oracle VM VirtualBox    None    VMSVGA device   No      3.2
Local   Low     Single  None    Partial+        Partial+        VirtualBox 
prior to
4.3.20  See Note 3
CVE-2015-0418   Oracle VM VirtualBox    None    Core    No      2.1     Local   
Low
None    None    None    Partial+        VirtualBox prior to 3.2.26, 4.0.28, 
4.1.36,
4.2.28   

 

 

*Notes:*

 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704.
 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
    CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
 3. VMSVGA virtual graphics device is not documented and is disabled by
    default.



@Moritz: There's nothing more detailed than the statement that all
versions proior to 4.3.20 are vulnerable.
4.3.20 is in experimental right now.


-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

signature.asc
Description: OpenPGP digital signature

--- End Message ---

signature.asc
Description: OpenPGP digital signature

_______________________________________________
vbox-dev mailing list
[email protected]
https://www.virtualbox.org/mailman/listinfo/vbox-dev

[vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Reply via email to