Bugzilla – Bug 742115
VUL-0: virtualbox: Oracle advisory covers multiple virtualbox vulnerabilities
Last modified: 2012-10-12 11:29:55 UTC
Recent Oracle advisory: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html names some VirtualBox fixes: CVE-2012-0105, CVE-2012-0111 and CVE-2011-3571. We need to check whether this affects us.
Michal, would you be so kind to check it?
*** Bug 742274 has been marked as a duplicate of this bug. ***
I guess we support currently openSUSE:11.4 openSUSE:12.1 and openSUSE:Factory, please correct me if I am wrong here is the vbox version vs distro release vbox-4.0.12 openSUSE:11.4:Update:Test vbox-4.1.4 openSUSE:12.1 vbox 4.1.8 openSUSE:Factory according to http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html table : CVE-2011-3571 is irrelevant as affects vbox with version 3.2 (we have only >= 4.0.12) also we are not affected by CVE-2012-0105 as we don't provide Windows Guest Additions so there is only CVE-2012-0111, but I can't find more information about this security issue, so I will ask for this on vbox mailing list, if you have more info about CVE-2011-3571 please give me a note thanks
bugbot adjusting priority
here is the thread on vbox mailing list (regarding CVE-2012-0111) : http://www.mail-archive.com/vbox-dev@virtualbox.org/msg04818.html unfortunately from response is not clear if virtualbox 4.1.4 in our openSUSE 12.1 is affected by CVE-2012-0111, however virtualbox 4.1.8 release (openSUSE:Factory) fixed this security issue so my suggestion is to update virtualbox to 4.1.8 for openSUSE 12.1
After discussing in the team, this should be no problem for 12.1. So just do it. :)
created request #136305 (using osc maintenancerequest) to update vbox in suse 12.1 to 4.1.22 (update also fix VUL-1 bnc#780711)
openSUSE-SU-2012:1323-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (low) Bug References: 737525,742115,743143,761923,780711 CVE References: CVE-2011-3571,CVE-2012-0105,CVE-2012-0111 Sources used: openSUSE 12.2 (src): virtualbox-4.1.22-1.6.1 openSUSE 12.1 (src): virtualbox-4.1.22-3.5.1 openSUSE 11.4 (src): virtualbox-4.0.12-0.48.1
released i think