Debian Bug report logs -
#715327
virtualbox: CVE-2013-3792
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 8 Jul 2013 05:36:02 UTC
Severity: important
Tags: security
Fixed in version virtualbox/4.2.16-dfsg-1
Done: Felix Geyer <fgeyer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#715327; Package virtualbox.
(Mon, 08 Jul 2013 05:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Mon, 08 Jul 2013 05:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: virtualbox
Severity: important
Tags: security
Justification: user security hole
This was assigned CVE-2013-3792:
https://www.virtualbox.org/ticket/11863
https://secunia.com/advisories/53858/
Please check with upstream whether this 4.1.18 from stable and
3.2.10 from oldstable.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#715327; Package virtualbox.
(Sun, 14 Jul 2013 16:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Sun, 14 Jul 2013 16:21:08 GMT) (full text, mbox, link).
Message #10 received at 715327@bugs.debian.org (full text, mbox, reply):
I'm not sure but this seems to be the workaround that
has been applied in 4.2.14:
https://www.virtualbox.org/changeset/46576/vbox
And this the proper fix included in 4.2.16:
https://www.virtualbox.org/changeset/46904/vbox
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#715327; Package virtualbox.
(Sun, 21 Jul 2013 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Sun, 21 Jul 2013 19:42:04 GMT) (full text, mbox, link).
Message #15 received at 715327@bugs.debian.org (full text, mbox, reply):
The bug affects version 4.0 and 4.2.0 - 4.2.12 but not 4.1 or 3.x.
This means that the versions in squeeze-backports, wheezy-backports,
testing and unstable are vulnerable.
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Sun, 21 Jul 2013 22:21:25 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 21 Jul 2013 22:21:26 GMT) (full text, mbox, link).
Message #20 received at 715327-close@bugs.debian.org (full text, mbox, reply):
Source: virtualbox
Source-Version: 4.2.16-dfsg-1
We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 715327@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated virtualbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 21 Jul 2013 23:25:44 +0200
Source: virtualbox
Binary: virtualbox-qt virtualbox virtualbox-dbg virtualbox-dkms virtualbox-source virtualbox-guest-dkms virtualbox-guest-source virtualbox-guest-x11 virtualbox-guest-utils
Architecture: source amd64 all
Version: 4.2.16-dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
virtualbox - x86 virtualization solution - base binaries
virtualbox-dbg - x86 virtualization solution - debugging symbols
virtualbox-dkms - x86 virtualization solution - kernel module sources for dkms
virtualbox-guest-dkms - x86 virtualization solution - guest addition module source for dk
virtualbox-guest-source - x86 virtualization solution - guest addition module source
virtualbox-guest-utils - x86 virtualization solution - non-X11 guest utilities
virtualbox-guest-x11 - x86 virtualization solution - X11 guest utilities
virtualbox-qt - x86 virtualization solution - Qt based user interface
virtualbox-source - x86 virtualization solution - kernel module source
Closes: 712438 715327
Changes:
virtualbox (4.2.16-dfsg-1) unstable; urgency=high
.
[ Felix Geyer ]
* New upstream release.
- Fixes CVE-2013-3792: virtio-net host DoS vulnerability. (Closes: #715327)
* Drop 36-python-multiarch.patch and 37-wheezy-kernel-drm.patch,
fixed upstream.
* Explicity load the vboxguest and vboxsf kernel modules in the
virtualbox-guest-utils init script.
This makes sure that shared folders can be mounted. (Closes: #712438)
.
[ Gianfranco Costamagna ]
* Patch refresh.
Checksums-Sha1:
e0c03bd0c7d5a26f76236f9d827e4ce02d28d147 3466 virtualbox_4.2.16-dfsg-1.dsc
7603aede177fb9bf25552151b221afea79fbfe48 34934068 virtualbox_4.2.16-dfsg.orig.tar.xz
7bc675fc11cb2504f6e03e24d61e4b424919d582 87589 virtualbox_4.2.16-dfsg-1.debian.tar.gz
4e52080eca2808f7cfd43a526a28f8751a7a443f 4609898 virtualbox-qt_4.2.16-dfsg-1_amd64.deb
d8d89bca0500ca019d49b9e4173687644465c71d 14135884 virtualbox_4.2.16-dfsg-1_amd64.deb
33695f93f093a21acd4e314c5c0ab8edcda3c777 56870982 virtualbox-dbg_4.2.16-dfsg-1_amd64.deb
84cf5d9671b72e4c7e4a64f03551d6320a3e553e 532890 virtualbox-dkms_4.2.16-dfsg-1_all.deb
3d683df6508df5ba848e3fc84eff2dc0a6802aee 636814 virtualbox-source_4.2.16-dfsg-1_all.deb
e81e8ebf6bc7a0754045f7992778980bad24c9f9 451640 virtualbox-guest-dkms_4.2.16-dfsg-1_all.deb
e41c8455bf716f7a06df18b478f9c5cb933a0b06 554266 virtualbox-guest-source_4.2.16-dfsg-1_all.deb
7924b7c48cb27b59fb4614e9fa8dc58340fa4bb5 983054 virtualbox-guest-x11_4.2.16-dfsg-1_amd64.deb
920946b4bac4226b9787e775d14b706b61b26141 341372 virtualbox-guest-utils_4.2.16-dfsg-1_amd64.deb
Checksums-Sha256:
a18fcf58c8e08030a784e7d0eb6fcba1d13650e348b67312c15a2fe556cc62c4 3466 virtualbox_4.2.16-dfsg-1.dsc
b1d79f15be471a3663caeda52b6ae93eb0e3aab6982dda2e0719a2f0dfeedd85 34934068 virtualbox_4.2.16-dfsg.orig.tar.xz
50386b4be19549874e504500f20a92f4a8b5a7d54170ecfff72d7ecf5ee973e1 87589 virtualbox_4.2.16-dfsg-1.debian.tar.gz
6958902b8eaf5e33ed143c1f5612cf00e794ea4d7301b71b7df51a71d57b5200 4609898 virtualbox-qt_4.2.16-dfsg-1_amd64.deb
57457fe0c1bd5b96a25f7e41f7896f40419fe95309a5dc1680611cbe29136186 14135884 virtualbox_4.2.16-dfsg-1_amd64.deb
db319e4bd5187daa440cabcf651d942fdd69385734d77beb4c33be83555df8e6 56870982 virtualbox-dbg_4.2.16-dfsg-1_amd64.deb
5eed9848bffc0ccfe78b2a49c64750ddb984060cddfe314cf9f548636bff27e7 532890 virtualbox-dkms_4.2.16-dfsg-1_all.deb
c404a3fc870f65f96b0c0382da04e2a7224eced0daa733fb4d53e503ea10dfe8 636814 virtualbox-source_4.2.16-dfsg-1_all.deb
dbc086ad4e0943b5848e5af5b1943b4cf01dacf6431cd08633eb62d5b6e8476a 451640 virtualbox-guest-dkms_4.2.16-dfsg-1_all.deb
a0e7ae06e8a81a1b06ea4b00c1f00c0e419f9ffa45e07af74c9443be1b388629 554266 virtualbox-guest-source_4.2.16-dfsg-1_all.deb
dc444531cd6c8a8015960a2af3497605791bc5ff53a3546b72f3902f76ec12c4 983054 virtualbox-guest-x11_4.2.16-dfsg-1_amd64.deb
3d80e4bf7381cb838357ec9d5aa66709b319295d84313386d18f5db806e502eb 341372 virtualbox-guest-utils_4.2.16-dfsg-1_amd64.deb
Files:
a686f16388e3532c4e04ae433483dcac 3466 contrib/misc optional virtualbox_4.2.16-dfsg-1.dsc
647c5c91a3652c083a28c3fde6742d12 34934068 contrib/misc optional virtualbox_4.2.16-dfsg.orig.tar.xz
0517907ef4fea9dd68fa4d3c42db038b 87589 contrib/misc optional virtualbox_4.2.16-dfsg-1.debian.tar.gz
9ee95e2749e94ad93009a00b48bc5b3e 4609898 contrib/misc optional virtualbox-qt_4.2.16-dfsg-1_amd64.deb
f96e8f18c570be814357537e4ec7a04f 14135884 contrib/misc optional virtualbox_4.2.16-dfsg-1_amd64.deb
c803821df2c41f6a94e6e0270a8c9292 56870982 contrib/debug extra virtualbox-dbg_4.2.16-dfsg-1_amd64.deb
8ba4ef6ce856eb95491189cee2e5ff19 532890 contrib/kernel optional virtualbox-dkms_4.2.16-dfsg-1_all.deb
6c7f7c7521ffeda80dddde866ca0d3b7 636814 contrib/kernel optional virtualbox-source_4.2.16-dfsg-1_all.deb
5f3ee3c61202606fd0831911927a7ca7 451640 contrib/kernel optional virtualbox-guest-dkms_4.2.16-dfsg-1_all.deb
d3b856f3e1771193ce94cb53990658fd 554266 contrib/kernel optional virtualbox-guest-source_4.2.16-dfsg-1_all.deb
224519503f26933e7761f4dcbe5243db 983054 contrib/x11 optional virtualbox-guest-x11_4.2.16-dfsg-1_amd64.deb
40d0350e6195151249f2aafbaae17ba4 341372 contrib/misc optional virtualbox-guest-utils_4.2.16-dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJR7FkNAAoJEP4ixv2DE11Fd3EP/2XseWDrcD0v56Y37UKYP5IL
/ljn5kYSt4x6lrWS1ZwV3SJddK/OQ8U0xEkzaObBHhRSw5xKxqbwhT8R0UxP2xKA
qrwkOy1eczvMkkvozml5EI1ldreykqe7SmXw8ffvcefdEuGPjfBly3L7SI6U8a0i
R0jbZogbCc5mWRjs2KUEyk0/07WWvnNgjPqj84O7bTk0fGvuaH9Jx1JE5mnj8fDE
z3oUO47lqQmheK5LWtn4Yf5mYLM4QkZ/6IknB01N7eZWeeK+YT0lzrQUA+geS49A
W3xsPgeErCwPY+UgdnzHYnBABGUlLq6VtgkHHSUoWg5oRi9GF1adXVYJJPp8wQoJ
3PgOPKblv34Z1vYr39uX6Wkd6YUzYotjgYcTjEEMwWpKmasI0d/xswXDBXpmkMiS
rrLpG6niYHa4IO/UV5gUpnD7jOWMLVFxPaAoO+OyGSCFmrWac+SORnOX5r4ZGXZ6
hUBgMvoktjIA54oF0+1YsE1czfwNwWdoIvzLgA75cdZjFwXph7AhmmmPBOfMPKWJ
Kr+I8VH9Ckp3VhLLhBQTCLAChbUA+nmkVXc8XGhjXtDXatzgy+UR89stu5Wpq2or
pZG7wd56l0+FfNOg0VsSVZBDwwdfZwfmbtHP635BLw8ENixcJoG1Du+DQu8qnt1I
gD7fMS9KiL4+POTivt67
=+3nT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Aug 2013 07:27:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:07:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon