Your message dated Mon, 14 Sep 2015 16:52:32 +0000 (UTC)
with message-id <1173833096.3187595.1442249552699.javamail.ya...@mail.yahoo.com>
and subject line closing!
has caused the Debian Bug report #794466,
regarding Virtualbox might not be suitable for Stretch
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
794466: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: virtualbox
Version: 4.3.30-dfsg-1
Severity: critical
X-Debbugs-CC: j...@inutil.org
X-Debbugs-CC: r...@debian.org
X-Debbugs-CC: frank.mehn...@oracle.com
X-Debbugs-CC: klaus.espenl...@oracle.com
(please cc people if needed
As Said in many different threads [1 bottom of the mail], Upstream doesn't play
in a really fair mode wrt CVEs in the package (it used to, but not for the
current CVE list).
This basically makes the package unsuitable for Stable Releases, since "Upgrade
to a newer release" is not the correct answer, and
cherry-picking patches without upstream support is just impossible/not easily
feasible for such a huge codebase.
I quote a mail from some Vbox upstream developers and Debian folks.
Personal Maintainer opinion:
I do not have anything against Virtualbox neither against Upstream, made by
people competent who helped us a lot, and did a great work in merging
patches (also my patches) and providing such a good tool for us, I love the
package and I would like to see it in Debian, but since people working for
Oracle might risk to get punished for not following the Oracle policy, I think
we are not sure we can continue giving a CVE free package for Stable Releases.
So, while Oracle employees tries to find out an Open Source friendly way to
cooperate with us, I'm opening this bug, to let the community be aware of the
status quo of the package.
On Tuesday 28 July 2015 14:00:31 Ritesh Raj Sarraf wrote:
> I am writing to you seeking clarification on what the project's stance
> is for Security Vulnerabilities.
>
> As you know, for Debian, we package VirtualBox. Given the breadth of
> the Debian project (oldstable, stable, testing, LTS, derivatives), it
> is important for us to have access to security fixes in an easy format.
>
> https://security-tracker.debian.org/tracker/CVE-2015-2594
>
> For example, for the above CVE, afaik all we have is a consolidated
> report. http://www.oracle.com/technetwork/topics/security/cpujul2015
> -2367936.html
>
> With no broken down fixes in an easy format, it makes it difficult to
> backport those fixes to older versions.
I'm aware of the problem. Unfortunately there is an Oracle policy which
forbids us to provide relevant information about security bugs, see
here:
http://www.oracle.com/us/support/assurance/vulnerability-remediation/disclosure/index.html
We are currently trying to find out what's possible to help you but this
will take some more time.
thanks folks for the help, I still hope we can solve it in a good way, to avoid
disappear of Virtualbox there :)
cheers!
Gianfranco
--- End Message ---
--- Begin Message ---
Hi, Virtualbox is finally CVE free in wheezy and jessie.
thanks to all for the support!
cheers,
G.
--- End Message ---
