Bug#1103582: marked as done (virtualbox: CVE-2025-30712 CVE-2025-30719 CVE-2025-30725)

Wed, 14 May 2025 06:12:50 -0700 

Your message dated Wed, 14 May 2025 13:09:03 +0000
with message-id <e1ufbr5-00f8nx...@fasolo.debian.org>
and subject line Bug#1103582: fixed in virtualbox 7.0.26-dfsg-1
has caused the Debian Bug report #1103582,
regarding virtualbox: CVE-2025-30712 CVE-2025-30719 CVE-2025-30725
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1103582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103582
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: virtualbox
Version: 7.0.20-dfsg-1.2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for virtualbox.

CVE-2025-30712[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core).   The supported version that is
| affected is 7.1.6. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox.  While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change).  Successful attacks of
| this vulnerability can result in  unauthorized creation, deletion or
| modification access to critical data or all Oracle VM VirtualBox
| accessible data as well as  unauthorized access to critical data or
| complete access to all Oracle VM VirtualBox accessible data and
| unauthorized ability to cause a partial denial of service (partial
| DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1
| (Confidentiality, Integrity and Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).


CVE-2025-30719[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core).   The supported version that is
| affected is 7.1.6. Easily exploitable vulnerability allows low
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox.  Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of Oracle
| VM VirtualBox and  unauthorized read access to a subset of Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality
| and Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H).


CVE-2025-30725[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core).   The supported version that is
| affected is 7.1.6. Difficult to exploit vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox.  While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change).  Successful attacks of
| this vulnerability can result in unauthorized ability to cause a
| hang or frequently repeatable crash (complete DOS) of Oracle VM
| VirtualBox as well as  unauthorized update, insert or delete access
| to some of Oracle VM VirtualBox accessible data and  unauthorized
| read access to a subset of Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-30712
    https://www.cve.org/CVERecord?id=CVE-2025-30712
[1] https://security-tracker.debian.org/tracker/CVE-2025-30719
    https://www.cve.org/CVERecord?id=CVE-2025-30719
[2] https://security-tracker.debian.org/tracker/CVE-2025-30725
    https://www.cve.org/CVERecord?id=CVE-2025-30725

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: virtualbox
Source-Version: 7.0.26-dfsg-1
Done: Gianfranco Costamagna <locutusofb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofb...@debian.org> (supplier of updated 
virtualbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 May 2025 14:19:49 +0200
Source: virtualbox
Built-For-Profiles: noudeb
Architecture: source
Version: 7.0.26-dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Virtualbox Team <team+debian-virtual...@tracker.debian.org>
Changed-By: Gianfranco Costamagna <locutusofb...@debian.org>
Closes: 1080878 1082889 1085440 1093879 1094801 1098998 1101182 1103582
Changes:
 virtualbox (7.0.26-dfsg-1) unstable; urgency=medium
 .
   [ Gianfranco Costamagna ]
   * Ack previous NMUs, thanks!
   * New upstream release 7.0.26-dfsg (Closes: #1103582, Closes: #1101182,
     Closes: #1093879, Closes: #1085440).
     - CVE-2025-30712 CVE-2025-30719 CVE-2025-30725 should be fixed by this
       release
     - CVE-2025-21533 CVE-2025-21571 should be fixed by this release
     - CVE-2024-21248 CVE-2024-21253 CVE-2024-21259 CVE-2024-21263
       CVE-2024-21273 should be fixed by this release
   * Refresh patches
   * Add libfuse2 runtime dependency (Closes: #1082889), thanks Marco Moock for 
the report
 .
   [ Tobias Frost ]
   * Fix broken watchfile (Closes: #1094801)
 .
   [ Stefano Rivera ]
   * Add missing Build-Depends on python3-setuptools (Closes: #1080878)
 .
   [ Andreas Beckmann ]
   * dkms and module-assistant updates (Closes: #1098998)
Checksums-Sha1:
 b52af456fc09013a709b9e9c44d0415c1230834a 3829 virtualbox_7.0.26-dfsg-1.dsc
 d781c2c36558ddb2f33246f2a50f6fd3994f83d7 78522568 
virtualbox_7.0.26-dfsg.orig.tar.xz
 a6199506ee0a30b5abfd58fd05e6637b4d0a0dfe 79144 
virtualbox_7.0.26-dfsg-1.debian.tar.xz
 cd5d6a03479efa34dd1e12a935aac07b6122d971 10311 
virtualbox_7.0.26-dfsg-1_source.buildinfo
Checksums-Sha256:
 27a02a1549a31acc7a32b43537619b253ef277111a77b5fc62f51b61f95cf1b5 3829 
virtualbox_7.0.26-dfsg-1.dsc
 dec277fa79e94ab5fa030f974fa2ef24ee88f827de639bdd4d1f12e64977b688 78522568 
virtualbox_7.0.26-dfsg.orig.tar.xz
 97b1bd0825f1288a1ca358fb021f8828da9ac3bad8b8f1d62bfcea6e7aae2732 79144 
virtualbox_7.0.26-dfsg-1.debian.tar.xz
 78d0dbc81c8c98897d4933f0ad2115f9aa7f5a19182dd50f44ae292fef6ebaa5 10311 
virtualbox_7.0.26-dfsg-1_source.buildinfo
Files:
 1a67bf21df94761155adfa4248d01757 3829 contrib/misc optional 
virtualbox_7.0.26-dfsg-1.dsc
 1ac9f57e7746c3ea4a63cbd03894a90c 78522568 contrib/misc optional 
virtualbox_7.0.26-dfsg.orig.tar.xz
 a77b238af878f4db45b38884c736e05c 79144 contrib/misc optional 
virtualbox_7.0.26-dfsg-1.debian.tar.xz
 104c74ad0713db357cacc25cc838f907 10311 contrib/misc optional 
virtualbox_7.0.26-dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmgkk40ACgkQ808JdE6f
XdnjxRAAnDZ/e+hzkeyB6BUpGfO89f+nXXAZl9buJmhNRdSpmNF5sUre1byV7BRE
lqTvNmkuIflaqd1eZThjYcTiT1ioIizURn2JpbN+IPUx3cgAGc0tM3G09S2e6APa
tNPJV3xpyHX7KS+zVs5ITlSHRSrWKg4CO/JvGqNYiGMbxCUEj9nNTpLINXuIBeIQ
hCkjzWIoTROlralr5HYprcoy3qOYjkp7sQG0mS2vHq+Pt/RMqnt9233cC//Pb6rH
5TtWSQfnFN6r0262WeEG6UEG18XUw+vP0wMvJhc2SrjylU3VSh3JP05xyzAO7sZ5
OW3VntVwEAC6osfAsS3BmSUs8IUXvOpgiYA6MbLKq4/WGr8klJ++I/gwHh2FCtML
xtWpaItMgrY9htgI8rPAzyXj2ZuHuoJnp8Sd6ncndjx/x3Z+ExXQ2PyMbs2EsO0T
s1N9078I1lgJTi3JZgutPASS9dTuPaxCDMW6m94sKrZMLnRuDK6V2JC51XdE7guk
cjZnjsNVODXCm5km5tSTSAYFAF96kdW2Dan2sJNoyNq1GULy5NOXcWubq/0yh4is
zLrAS1clExaUc0eJunof0KJZNOL4Xno4DYVjPTCyvQFYWEGAKe8SZonTV36AyG7b
DuJ8veHc7ZAbleDZgiHfTYzIWccbOaS/37RbFK01GA5zmbxhh9Y=
=jeby
-----END PGP SIGNATURE-----

Attachment: pgpEYVGVlBQGH.pgp
Description: PGP signature


--- End Message ---

Reply via email to