Yes. We'll talk to the upstream folks. s3nt fr0m a $martph0ne, excuse typ0s On Jan 21, 2015 1:28 PM, "Moritz Muehlenhoff" <j...@inutil.org> wrote:
> On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote: > > On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote: > > > Package: virtualbox > > > Severity: grave > > > Tags: security > > > Justification: user security hole > > > > > > No specific details available yet: > > > > http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html > > > > > > Cheers, > > > Moritz > > > > > > > The following matrix is what I could grab. > > > > > http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR > > > > CVE-2014-6595 Oracle VM VirtualBox None VMSVGA device > No 3.2 > > Local Low Single None Partial+ Partial+ > VirtualBox prior to > > 4.3.20 See Note 3 > > CVE-2014-6588 Oracle VM VirtualBox None VMSVGA device > No 3.2 > > Local Low Single None Partial+ Partial+ > VirtualBox prior to > > 4.3.20 See Note 3 > > CVE-2014-6589 Oracle VM VirtualBox None VMSVGA device > No 3.2 > > Local Low Single None Partial+ Partial+ > VirtualBox prior to > > 4.3.20 See Note 3 > > CVE-2014-6590 Oracle VM VirtualBox None VMSVGA device > No 3.2 > > Local Low Single None Partial+ Partial+ > VirtualBox prior to > > 4.3.20 See Note 3 > > CVE-2015-0427 Oracle VM VirtualBox None VMSVGA device > No 3.2 > > Local Low Single None Partial+ Partial+ > VirtualBox prior to > > 4.3.20 See Note 3 > > CVE-2015-0418 Oracle VM VirtualBox None Core No > 2.1 Local Low > > None None None Partial+ VirtualBox prior to 3.2.26, > 4.0.28, 4.1.36, > > 4.2.28 > > > > *Notes:* > > > > 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and > CVE-2014-5704. > > 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, > > CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076. > > 3. VMSVGA virtual graphics device is not documented and is disabled by > > default. > > > > @Moritz: There's nothing more detailed than the statement that all > > versions proior to 4.3.20 are vulnerable. > > 4.3.20 is in experimental right now. > > In the past someone from upstream posted the upstream commits to the > bug log, maybe you can contact them for more information so that > we can merge the isolated fixes into the jessie version? > > Cheers, > Moritz >