Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Wed, 21 Jan 2015 00:03:36 -0800 

On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote:
> On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> > Package: virtualbox
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > No specific details available yet:
> > http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> >
> > Cheers,
> >         Moritz
> >
> 
> The following matrix is what I could grab.
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR
> 
> CVE-2014-6595         Oracle VM VirtualBox    None    VMSVGA device   No      
> 3.2
> Local         Low     Single  None    Partial+        Partial+        
> VirtualBox prior to
> 4.3.20        See Note 3
> CVE-2014-6588         Oracle VM VirtualBox    None    VMSVGA device   No      
> 3.2
> Local         Low     Single  None    Partial+        Partial+        
> VirtualBox prior to
> 4.3.20        See Note 3
> CVE-2014-6589         Oracle VM VirtualBox    None    VMSVGA device   No      
> 3.2
> Local         Low     Single  None    Partial+        Partial+        
> VirtualBox prior to
> 4.3.20        See Note 3
> CVE-2014-6590         Oracle VM VirtualBox    None    VMSVGA device   No      
> 3.2
> Local         Low     Single  None    Partial+        Partial+        
> VirtualBox prior to
> 4.3.20        See Note 3
> CVE-2015-0427         Oracle VM VirtualBox    None    VMSVGA device   No      
> 3.2
> Local         Low     Single  None    Partial+        Partial+        
> VirtualBox prior to
> 4.3.20        See Note 3
> CVE-2015-0418         Oracle VM VirtualBox    None    Core    No      2.1     
> Local   Low
> None  None    None    Partial+        VirtualBox prior to 3.2.26, 4.0.28, 
> 4.1.36,
> 4.2.28         
> 
> *Notes:*
> 
>  1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704.
>  2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
>     CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
>  3. VMSVGA virtual graphics device is not documented and is disabled by
>     default.
> 
> @Moritz: There's nothing more detailed than the statement that all
> versions proior to 4.3.20 are vulnerable.
> 4.3.20 is in experimental right now.

In the past someone from upstream posted the upstream commits to the
bug log, maybe you can contact them for more information so that
we can merge the isolated fixes into the jessie version?

Cheers,
        Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to