Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2015-2594

Related Vulnerabilities: CVE-2015-2594   CVE-2013-3792   CVE-2014-2486   CVE-2014-2488   CVE-2014-2489  

Source

Debian Bug report logs - #792446
CVE-2015-2594

version graph

Package: virtualbox; Maintainer for virtualbox is Debian Virtualbox Team <team+debian-virtualbox@tracker.debian.org>; Source for virtualbox is src:virtualbox (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 14 Jul 2015 20:27:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions virtualbox/4.3.18-dfsg-3, virtualbox/4.3.28-dfsg-1

Fixed in versions virtualbox/4.3.30-dfsg-1+deb8u1, virtualbox/4.3.30-dfsg-1, virtualbox/4.1.40-dfsg-1+deb7u1, virtualbox-ose/3.2.28-dfsg-1+squeeze1

Done: Mike Gabriel <sunweaver@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#792446; Package virtualbox. (Tue, 14 Jul 2015 20:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>. (Tue, 14 Jul 2015 20:27:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2015-2594
Date: Tue, 14 Jul 2015 22:22:16 +0200
Package: virtualbox
Version: 4.3.28-dfsg-1+b1
Severity: grave
Tags: security

Today's Oracle CPU fixes an undisclosed vulnerability in VirtualBox
related to guests using bridged networking over Wifi:
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#792446; Package virtualbox. (Wed, 15 Jul 2015 06:39:15 GMT) (full text, mbox, link).

Acknowledgement sent to rrs@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>. (Wed, 15 Jul 2015 06:39:15 GMT) (full text, mbox, link).

Message #10 received at 792446@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 792446@bugs.debian.org
Subject: Re: Bug#792446: CVE-2015-2594
Date: Wed, 15 Jul 2015 12:04:40 +0530
[Message part 1 (text/plain, inline)]
On Wednesday 15 July 2015 01:52 AM, Moritz Muehlenhoff wrote:
> Package: virtualbox
> Version: 4.3.28-dfsg-1+b1
> Severity: grave
> Tags: security
>
> Today's Oracle CPU fixes an undisclosed vulnerability in VirtualBox
> related to guests using bridged networking over Wifi:
> http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html


Good timing for us then. :-)

We just finished the 4.3.30 build, which claims to have this fix
included. I'll be doing a source-only upload later today.

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System



[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#792446; Package virtualbox. (Wed, 15 Jul 2015 09:06:19 GMT) (full text, mbox, link).

Acknowledgement sent to Gianfranco Costamagna <costamagnagianfranco@yahoo.it>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>. (Wed, 15 Jul 2015 09:06:19 GMT) (full text, mbox, link).

Message #15 received at 792446@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
To: "rrs@debian.org" <rrs@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, "792446@bugs.debian.org" <792446@bugs.debian.org>
Subject: Re: Bug#792446: CVE-2015-2594
Date: Wed, 15 Jul 2015 08:48:02 +0000 (UTC)
Hi *

>Good timing for us then. :-)


yes, it is :)

>We just finished the 4.3.30 build, which claims to have this fix
>included. I'll be doing a source-only upload later today.



I asked on the mail list a patch for the CVE only, in order to have targeted fixes for stable releases too

https://www.virtualbox.org/pipermail/vbox-dev/2015-July/013312.html

cheers,

G.

Marked as found in versions virtualbox/4.3.18-dfsg-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 15 Jul 2015 11:15:08 GMT) (full text, mbox, link).

Marked as fixed in versions virtualbox/4.3.30-dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 15 Jul 2015 11:15:11 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 15 Jul 2015 11:15:15 GMT) (full text, mbox, link).

Reply sent to Gianfranco Costamagna <costamagnagianfranco@yahoo.it>:
You have taken responsibility. (Mon, 14 Sep 2015 16:54:48 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 14 Sep 2015 16:54:48 GMT) (full text, mbox, link).

Message #26 received at 792446-done@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
To: "792446-done@bugs.debian.org" <792446-done@bugs.debian.org>
Date: Mon, 14 Sep 2015 16:53:40 +0000 (UTC)
Control: fixed -1 4.3.30-dfsg-1+deb8u1

Control: fixed -1 4.1.40-dfsg-1+deb7u1

closing then!

cheers,

G.

Marked as fixed in versions virtualbox/4.3.30-dfsg-1+deb8u1. Request was from Gianfranco Costamagna <costamagnagianfranco@yahoo.it> to control@bugs.debian.org. (Mon, 14 Sep 2015 17:00:11 GMT) (full text, mbox, link).

Marked as fixed in versions virtualbox/4.1.40-dfsg-1+deb7u1. Request was from Gianfranco Costamagna <costamagnagianfranco@yahoo.it> to control@bugs.debian.org. (Mon, 14 Sep 2015 17:00:12 GMT) (full text, mbox, link).

Reply sent to Mike Gabriel <sunweaver@debian.org>:
You have taken responsibility. (Tue, 29 Sep 2015 10:24:07 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 29 Sep 2015 10:24:07 GMT) (full text, mbox, link).

Message #35 received at 792446-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>
To: 792446-close@bugs.debian.org
Subject: Bug#792446: fixed in virtualbox-ose 3.2.28-dfsg-1+squeeze1
Date: Tue, 29 Sep 2015 10:21:20 +0000
Source: virtualbox-ose
Source-Version: 3.2.28-dfsg-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
virtualbox-ose, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 792446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated virtualbox-ose package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 29 Sep 2015 11:33:20 +0200
Source: virtualbox-ose
Binary: virtualbox-ose-qt virtualbox-ose virtualbox-ose-dbg virtualbox-ose-dkms virtualbox-ose-source virtualbox-ose-guest-dkms virtualbox-ose-guest-source virtualbox-ose-guest-x11 virtualbox-ose-guest-utils virtualbox-ose-fuse
Architecture: source amd64 all
Version: 3.2.28-dfsg-1+squeeze1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 virtualbox-ose - x86 virtualization solution - base binaries
 virtualbox-ose-dbg - x86 virtualization solution - debugging symbols
 virtualbox-ose-dkms - x86 virtualization solution - kernel module sources for dkms
 virtualbox-ose-fuse - x86 virtualization solution - virtual filesystem
 virtualbox-ose-guest-dkms - x86 virtualization solution - guest addition module source for dk
 virtualbox-ose-guest-source - x86 virtualization solution - guest addition module source
 virtualbox-ose-guest-utils - x86 virtualization solution - non-X11 guest utilities
 virtualbox-ose-guest-x11 - x86 virtualization solution - X11 guest utilities
 virtualbox-ose-qt - x86 virtualization solution - Qt based user interface
 virtualbox-ose-source - x86 virtualization solution - kernel module source
Closes: 715327 754939 792446
Changes: 
 virtualbox-ose (3.2.28-dfsg-1+squeeze1) squeeze-lts; urgency=medium
 .
   [ Gianfranco Costamagna ]
   * New upstream release.
   * Remove all the CVE related patches, and refresh patches.
 .
   [ Mike Gabriel ]
   * Non-maintainer upload by the Debian LTS team.
     - Fixes CVE-2013-3792. (Closes: #715327).
     - Fixes CVE-2014-2486, CVE-2014-2488 and CVE-2014-2489 (Closes: #754939).
     - Fixes CVE-2015-2594. (Closes: #792446).
Checksums-Sha1: 
 36443f561b5b0d52f09744efeabd39d50292ad9d 3464 virtualbox-ose_3.2.28-dfsg-1+squeeze1.dsc
 1e438f9fc17f08ba4cf080a3dfd205af643f6336 36976276 virtualbox-ose_3.2.28-dfsg.orig.tar.gz
 603b4e41a8deff7f3c9bc3046ffe7acddaf34360 89979 virtualbox-ose_3.2.28-dfsg-1+squeeze1.diff.gz
 24514f43cff4a13d3cf31fe8d5e84ee381d44779 4999450 virtualbox-ose-qt_3.2.28-dfsg-1+squeeze1_amd64.deb
 832581a1f08b39c7fc7b9f86df6f8964e9c8083e 9295128 virtualbox-ose_3.2.28-dfsg-1+squeeze1_amd64.deb
 2711d47a9a5f05cec7f528134e566621443321c7 52798050 virtualbox-ose-dbg_3.2.28-dfsg-1+squeeze1_amd64.deb
 2ee91c882443d5ef91ff5b23de901c51c51f2515 586494 virtualbox-ose-dkms_3.2.28-dfsg-1+squeeze1_all.deb
 5f9fd92f26b04c0eba87034117d7776dc5ffe6a2 505340 virtualbox-ose-source_3.2.28-dfsg-1+squeeze1_all.deb
 025bc1d236b6857623830266b0ab634a7626d5b8 511700 virtualbox-ose-guest-dkms_3.2.28-dfsg-1+squeeze1_all.deb
 f23c0dbb640bf20c4f26143635a985f5abd19113 442378 virtualbox-ose-guest-source_3.2.28-dfsg-1+squeeze1_all.deb
 18668be84d82260d1447bbc72cff739208377755 1439572 virtualbox-ose-guest-x11_3.2.28-dfsg-1+squeeze1_amd64.deb
 af829a849ca8e4d9cdaa8b8ff4452ebe95913a5b 559028 virtualbox-ose-guest-utils_3.2.28-dfsg-1+squeeze1_amd64.deb
 34e1fee4c337e809ddc042c4d02db5559f117c04 40042 virtualbox-ose-fuse_3.2.28-dfsg-1+squeeze1_amd64.deb
Checksums-Sha256: 
 a4bfdb0afa9b2c3a322d4d4ec47891eb16043dd25c839c4c268b5867e10f9823 3464 virtualbox-ose_3.2.28-dfsg-1+squeeze1.dsc
 6213ec67fef38a8d27bed21d7993e78ba4e24b8434e398d2f84750c88ca3ab17 36976276 virtualbox-ose_3.2.28-dfsg.orig.tar.gz
 ba1296a6e878ee71f4078266a27ff7f8ac28e7626bd19669a5466a62b93c84fb 89979 virtualbox-ose_3.2.28-dfsg-1+squeeze1.diff.gz
 62a5b47d764a86fede50afd9ef2185333ecc3f97b53d0be77913cf5be21b265a 4999450 virtualbox-ose-qt_3.2.28-dfsg-1+squeeze1_amd64.deb
 0d46591c0f8dc22f26f4c19037b693599c3427a46ea2e3a949c6770b004e9f22 9295128 virtualbox-ose_3.2.28-dfsg-1+squeeze1_amd64.deb
 5f3c09c2f79f9f69bc66b9599887c8b04f5038a3ef56b5e0082b4d630d2f999d 52798050 virtualbox-ose-dbg_3.2.28-dfsg-1+squeeze1_amd64.deb
 069cab987397dd3e0699515cd2966cd063f3aa602ddbd40a2f5a0ea9ddaf507c 586494 virtualbox-ose-dkms_3.2.28-dfsg-1+squeeze1_all.deb
 26254cc72195bf8d2387125bd5cc4041f0b12ff51d14a0999edc0c6176b27907 505340 virtualbox-ose-source_3.2.28-dfsg-1+squeeze1_all.deb
 4f29400470a0744d7288302e8fc9305a93362565ad52ff3e055b97ea4cf91080 511700 virtualbox-ose-guest-dkms_3.2.28-dfsg-1+squeeze1_all.deb
 3d2be7964900f5757cb109e144727cbaa70684eb159743b638568ddcb1f0a44b 442378 virtualbox-ose-guest-source_3.2.28-dfsg-1+squeeze1_all.deb
 0252f9c4eeb8b905c2c100ccc8b42ea4f1579a38fc8f2c7080521776bf8f2115 1439572 virtualbox-ose-guest-x11_3.2.28-dfsg-1+squeeze1_amd64.deb
 d21dac2a3830a29da2e0b3739be3b163053da6cda3d951ad706526dcf6e93f4a 559028 virtualbox-ose-guest-utils_3.2.28-dfsg-1+squeeze1_amd64.deb
 c019bcc648931a81c46ede9851705ef87c4336db9b9d8f80dafd42e35666e6e2 40042 virtualbox-ose-fuse_3.2.28-dfsg-1+squeeze1_amd64.deb
Files: 
 86abbe44d0bd366cf79bffa739fd58fa 3464 misc optional virtualbox-ose_3.2.28-dfsg-1+squeeze1.dsc
 4bef11b9aa8bb58416ce108e784c0637 36976276 misc optional virtualbox-ose_3.2.28-dfsg.orig.tar.gz
 6a848bb61d506c07637051ce664985a2 89979 misc optional virtualbox-ose_3.2.28-dfsg-1+squeeze1.diff.gz
 a59519e044d9948690234bb40bcaea18 4999450 misc optional virtualbox-ose-qt_3.2.28-dfsg-1+squeeze1_amd64.deb
 4434287d776ccd9c18840d6ca1f2ea12 9295128 misc optional virtualbox-ose_3.2.28-dfsg-1+squeeze1_amd64.deb
 8a84708edff6355a0711b25f3b5c43ad 52798050 debug extra virtualbox-ose-dbg_3.2.28-dfsg-1+squeeze1_amd64.deb
 450e26eaf20208dc95f6e2b60ab57984 586494 kernel optional virtualbox-ose-dkms_3.2.28-dfsg-1+squeeze1_all.deb
 083043ea65ebb6b4aa3f4c4dbdcb5955 505340 kernel optional virtualbox-ose-source_3.2.28-dfsg-1+squeeze1_all.deb
 97c605aac16d332c52e96eeb95213ba9 511700 kernel optional virtualbox-ose-guest-dkms_3.2.28-dfsg-1+squeeze1_all.deb
 d3ca20f5288202ebcb35793bc50057ae 442378 kernel optional virtualbox-ose-guest-source_3.2.28-dfsg-1+squeeze1_all.deb
 7d1d3752dfec9194cff4b2d9d8d768e1 1439572 x11 optional virtualbox-ose-guest-x11_3.2.28-dfsg-1+squeeze1_amd64.deb
 d4a9973a17aed6fa3bf80b0b3859b736 559028 misc optional virtualbox-ose-guest-utils_3.2.28-dfsg-1+squeeze1_amd64.deb
 0e96152e17ac20693ebce1641d7354bd 40042 misc optional virtualbox-ose-fuse_3.2.28-dfsg-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWCmLwAAoJEJr0azAldxsxJ04P/3Q0s0UJFe8ydGScAMIc4zFO
Tic/eQu8NY8zGeCKL0EqiakrIRlvMnQ8WOe4KvWKq33ebUHh6PXLZ3wc+IrGqVtV
AKiQ/hQ+x5reO2r7fKOhPSskdxvCilI4Pe3CjwVdMa/M9E1OO00wcka6gXkT58gb
rg/dHPbkHsnnLl/qH+AXLXuuFRCwVojyVt0UmR5V74vAHFi4TZcBa74OwgawPZd8
KeQzwdtMp6LyH5uErQ3NEq8UV/LQVCwQ6z6C1J+UaQTnPb7JFXeQmP3tmbGcaRN2
db+X3GCYgv1IdKSAmGUfsQC3l/c0uKASMbCEk8fIBodSXl1jRI56naI9HpCq1Xxh
oqADnVR+yyGevRZ+1qT3ZT59mKxGg92Hx0pj60PuuHdVo8K7Ae9ofITfFVaRHxEt
mZ1cDb474CI7KR+hUFf158+RN8p6+stBnY4avHlE/d2VDyYBQbzUzG+/IW6XvVKz
nK5FzzL53nPw0F1BC3AFixEx1TpHjvM91oSmPtD7Q8w1O9X8hX6k4EZWvJlSV4yy
cIjCzVZ9yo4twpdFlwx91TErtjvpv18B7c4vzFurxJFyIP3+3hjZpvwnRN1Y3+bw
/44yoW/Y4pVF4SHiTzeAo28YFXMVO5MgeOZiY8QEOH59NIbir1Za7R0mN/lLInIo
PHS28wZC4SMpxeO3kjLM
=h0to
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jan 2016 07:31:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:47:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started