[SRU] Virtualbox in trusty 14.04 is an old version and has many security vulnerabilities

Bug #1812671 reported by Mike Salvatore on 2019-01-21
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
Undecided
Gianfranco Costamagna
Trusty
Undecided
Gianfranco Costamagna
virtualbox-guest-additions-iso (Ubuntu)
Undecided
Gianfranco Costamagna
Trusty
Undecided
Gianfranco Costamagna
virtualbox-lts-xenial (Ubuntu)
Trusty
Undecided
Gianfranco Costamagna

Bug Description

[Impact]
The Virtualbox version in trusty 14.04 is 4.3.36. It is affected by up to 110 vulnerabilities. 23 can be resolved if virtualbox can be upgraded to 5.0.40. An additional 37 can be resolved if virtualbox can be upgraded to 5.1.38.

[Test Case]
* Install Vbox, and play with it

[Regression Potential]
* low, never had regressions in stable updates.
* upstream is really careful in his testing before release

CVE References

Mike, I uploaded them on my ppa [1] and unapproved queue.

I think 5* series is out of scope here, but 4.3.40 is a minor jump I can do.

We can consider a 5* jump but this requires probably a kbuild backport and a lot of more testing, since the diff will be considerably huge.

[1] https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/virtualbox-ppa

we can SRU this one now, and wait for the new one in the future?

Changed in virtualbox-guest-additions-iso (Ubuntu):
status: New → In Progress
Changed in virtualbox (Ubuntu):
status: New → In Progress
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-guest-additions-iso (Ubuntu):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
summary: - Virtualbox in trusty 14.04 is an old version and has many security
+ [SRU] Virtualbox in trusty 14.04 is an old version and has many security
vulnerabilities
description: updated
Mark Foster (fostermarkd) wrote :

Given that 5.2.24+ is needed to solve CVE-2019-2511 and Trusty is ~3 months until EOL is it even worth doing?

I suspect it is, specially because lots of people won't probably upgrade right after it becomes EOL... Fixing something is better than nothing (this is a safe update)

Changed in virtualbox-lts-xenial (Ubuntu):
status: New → Fix Released
Changed in virtualbox (Ubuntu):
status: In Progress → Fix Released
Changed in virtualbox-guest-additions-iso (Ubuntu):
status: In Progress → Fix Released
Changed in virtualbox (Ubuntu Trusty):
status: New → In Progress
Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: New → In Progress
Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: New → In Progress
Changed in virtualbox (Ubuntu Trusty):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-lts-xenial (Ubuntu):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-lts-xenial (Ubuntu Trusty):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)

Hello Mike, or anyone else affected,

Accepted virtualbox-guest-additions-iso into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-guest-additions-iso/4.3.40-0ubuntu1.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
Timo Aaltonen (tjaalton) wrote :

Hello Mike, or anyone else affected,

Accepted virtualbox into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox/4.3.40-dfsg-0ubuntu14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox (Ubuntu Trusty):
status: In Progress → Fix Committed

everything seems ok!
dpkg -l |grep virtual
ii virtualbox 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - base binaries
ii virtualbox-dkms 4.3.40-dfsg-0ubuntu14.04.1 all x86 virtualization solution - kernel module sources for dkms
ii virtualbox-guest-dkms 4.3.40-dfsg-0ubuntu14.04.1 all x86 virtualization solution - guest addition module source for dkms
ii virtualbox-guest-utils 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - non-X11 guest utilities
ii virtualbox-guest-x11 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - X11 guest utilities

and also the x11-lts-xenial is installable correctly!
rc virtualbox 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - base binaries
ii virtualbox-dkms 4.3.40-dfsg-0ubuntu14.04.1 all x86 virtualization solution - kernel module sources for dkms
rc virtualbox-guest-utils 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - non-X11 guest utilities
ii virtualbox-guest-utils-lts-xenial 4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1 amd64 x86 virtualization solution - non-X11 guest utilities
rc virtualbox-guest-x11 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - X11 guest utilities
ii virtualbox-guest-x11-lts-xenial 4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1 amd64 x86 virtualization solution - X11 guest utilities

tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Mathew Hodson (mathew-hodson) wrote :

Accepted virtualbox-lts-xenial into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-lts-xenial/4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: In Progress → Fix Committed
no longer affects: virtualbox-lts-xenial (Ubuntu)
tags: added: verification-needed verification-needed-trusty
removed: verification-done verification-done-trusty
tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-lts-xenial - 4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1

---------------
virtualbox-lts-xenial (4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1) trusty; urgency=medium

  * Use lts-xenial stack. Build only guest additions (LP: #1424769).

 -- Gianfranco Costamagna <email address hidden> Fri, 01 Mar 2019 15:13:03 +0100

Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for virtualbox has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-guest-additions-iso - 4.3.40-0ubuntu1.14.04.1

---------------
virtualbox-guest-additions-iso (4.3.40-0ubuntu1.14.04.1) trusty; urgency=medium

  * New upstream release
    (LP: #1812671)

 -- Gianfranco Costamagna <email address hidden> Mon, 21 Jan 2019 14:33:17 +0100

Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.3.40-dfsg-0ubuntu14.04.1

---------------
virtualbox (4.3.40-dfsg-0ubuntu14.04.1) trusty; urgency=medium

  * New upstream release (LP: #1812671)

 -- Gianfranco Costamagna <email address hidden> Mon, 21 Jan 2019 14:33:14 +0100

Changed in virtualbox (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers