Bug 742115 - VUL-0: virtualbox: Oracle advisory covers multiple virtualbox vulnerabilities
VUL-0: virtualbox: Oracle advisory covers multiple virtualbox vulnerabilities
Status: RESOLVED FIXED
: 742274 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Michal Seben
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-18 15:13 UTC by Sebastian Krahmer
Modified: 2012-10-12 11:29 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-01-18 15:13:13 UTC
Recent Oracle advisory:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

names some VirtualBox fixes:

CVE-2012-0105, CVE-2012-0111 and CVE-2011-3571.

We need to check whether this affects us.
Comment 1 Michal Vyskocil 2012-01-19 13:09:52 UTC
Michal, would you be so kind to check it?
Comment 2 Ludwig Nussel 2012-01-20 14:09:10 UTC
*** Bug 742274 has been marked as a duplicate of this bug. ***
Comment 3 Michal Seben 2012-01-20 20:19:04 UTC
I guess we support currently 
openSUSE:11.4 openSUSE:12.1 and openSUSE:Factory,
please correct me if I am wrong

here is the vbox version vs distro release
vbox-4.0.12 openSUSE:11.4:Update:Test
vbox-4.1.4 openSUSE:12.1
vbox 4.1.8 openSUSE:Factory

according to http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html table :
CVE-2011-3571 is irrelevant as affects vbox with version 3.2 (we have only >= 4.0.12)
also we are not affected by CVE-2012-0105 as we don't provide Windows Guest Additions

so there is only CVE-2012-0111, but I can't find more information about this security issue, so I will ask for this on vbox mailing list, if you have more info about CVE-2011-3571 please give me a note

thanks
Comment 4 Swamp Workflow Management 2012-01-20 23:00:31 UTC
bugbot adjusting priority
Comment 5 Michal Seben 2012-01-29 21:58:30 UTC
here is the thread on vbox mailing list (regarding CVE-2012-0111) :
http://www.mail-archive.com/vbox-dev@virtualbox.org/msg04818.html

unfortunately from response is not clear if virtualbox 4.1.4 in our openSUSE 12.1 is affected by CVE-2012-0111, however virtualbox 4.1.8 release (openSUSE:Factory) fixed this security issue

so my suggestion is to update virtualbox to 4.1.8 for openSUSE 12.1
Comment 6 Sebastian Krahmer 2012-04-04 09:02:45 UTC
After discussing in the team, this should be no problem
for 12.1. So just do it. :)
Comment 7 Michal Seben 2012-09-28 06:05:01 UTC
created request #136305 (using osc maintenancerequest)
to update vbox in suse 12.1 to 4.1.22 (update also fix VUL-1 bnc#780711)
Comment 8 Swamp Workflow Management 2012-10-10 08:09:03 UTC
openSUSE-SU-2012:1323-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 737525,742115,743143,761923,780711
CVE References: CVE-2011-3571,CVE-2012-0105,CVE-2012-0111
Sources used:
openSUSE 12.2 (src):    virtualbox-4.1.22-1.6.1
openSUSE 12.1 (src):    virtualbox-4.1.22-3.5.1
openSUSE 11.4 (src):    virtualbox-4.0.12-0.48.1
Comment 9 Marcus Meissner 2012-10-12 11:29:55 UTC
released i think