virtualbox multiple security vulnerabilities
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | virtualbox (Ubuntu) |
Undecided
|
Unassigned | ||
Bug Description
debdiff attached
CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Please wait until the patches are accepted into debian.
Precise is in proposed and will be released tomorrow, trusty needs some days more, I made them on top of the proposed pockets.
vivid is not affected.
| information type: | Private Security → Public Security |
utopic debdiff attached, rebased on debian upload -2.
There is some noise deleted too.
can anybody please upload utopic?
| Seth Arnold (seth-arnold) wrote : | #10 |
The utopic-debdiff-2 changes are primarily quilt-related rather than the package sources. Can you please confirm if the other changes are correct? (I don't mind filtering out the quilt changes by hand, but I'm worried that the patch isn't complete / correct if quilt changes have crept in.)
Please note that we like to keep all our security update changelog entries standardized; the template is at https:/
Thanks
Hi Seth, the patch is good, the only real change is the set of the two variables in the rules file, since all the CVEs in utopic are related to an experimental code not yet ready for usage (cfr. Upstream as Frank on the debian bug).
Please read the debian bug, it has the full explanation and the testing done. The other CVEs doesn't affect utopic, but only < 4.3 releases.
(for the template I'll keep it in mind on my next debian security upload and cherry-pick it there)
Hi Seth:
precise moved from proposed to updates, for me precise and utopic are good to go.
also trusty moved to updates.
| Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package virtualbox - 4.3.18-
---------------
virtualbox (4.3.18-
* SECURITY UPDATE: multiple flaws in experimental video code (LP: #1413603)
(Standardizing the lower changelog entry. -- Seth Arnold)
- CVE-2014-6595
- CVE-2014-6590
- CVE-2014-6589
- CVE-2014-6588
- CVE-2015-0427
-- Gianfranco Costamagna <email address hidden> Thu, 22 Jan 2015 14:48:07 +0100
| Changed in virtualbox (Ubuntu): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #17 |
This bug was fixed in the package virtualbox - 4.1.12-
---------------
virtualbox (4.1.12-
[ Seth Arnold standardizing the changelog entry ]
* SECURITY UPDATE: multiple flaws (LP: #1413603)
- debian/
- debian/
- CVE-2015-0377
- CVE-2015-0418
[ Frank Mehnert ]
* fix security vulnerabilities (Closes: #775888)
CVE-2015-0377, CVE-2015-0418
- debian/
-- Gianfranco Costamagna <email address hidden> Thu, 22 Jan 2015 14:49:47 +0100
| Changed in virtualbox (Ubuntu): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #16 |
This bug was fixed in the package virtualbox - 4.3.10-
---------------
virtualbox (4.3.10-
[ Seth Arnold standardizing the changelog entry ]
* SECURITY UPDATE: multiple flaws in experimental video code (LP: #1413603)
- CVE-2014-6595
- CVE-2014-6590
- CVE-2014-6589
- CVE-2014-6588
- CVE-2015-0427
[ Frank Mehnert ]
* d/rules: Disable experimental code by exporting
VBOX_
this fixes CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
CVE-2014-6588 and CVE-2015-0427. (Closes: #775888)
-- Gianfranco Costamagna <email address hidden> Thu, 22 Jan 2015 10:51:40 +0100
| Changed in virtualbox (Ubuntu): | |
| status: | New → Fix Released |
| Seth Arnold (seth-arnold) wrote : | #18 |
Thanks Gianfranco!
thanks to you for fixing my debdiffs, caring and uploading!
utopic patch