The April 2018 Oracle CPU lists some security issues fixed in VirtualBox 5.2.10: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR Mageia 5 and Mageia 6 are also affected (only 6 will be updated).
Whiteboard: (none) => MGA6TOO
Cauldron updated, Mga6 update will be pushed after the QT update mess is done
Depends on: (none) => 22657Version: Cauldron => 6
openSUSE has issued an advisory for this today (April 24): https://lists.opensuse.org/opensuse-updates/2018-04/msg00065.html
Status comment: (none) => Fixed upstream in 5.2.10
5.2.12 is out: https://www.virtualbox.org/wiki/Changelog
Rpms to test: SRPMS: virtualbox-5.2.12-1.mga6.src.rpm i586: dkms-vboxadditions-5.2.12-1.mga6.noarch.rpm dkms-virtualbox-5.2.12-1.mga6.noarch.rpm python-virtualbox-5.2.12-1.mga6.i586.rpm virtualbox-5.2.12-1.mga6.i586.rpm virtualbox-devel-5.2.12-1.mga6.i586.rpm virtualbox-guest-additions-5.2.12-1.mga6.i586.rpm x11-driver-video-vboxvideo-5.2.12-1.mga6.i586.rpm x86_64: dkms-vboxadditions-5.2.12-1.mga6.noarch.rpm dkms-virtualbox-5.2.12-1.mga6.noarch.rpm python-virtualbox-5.2.12-1.mga6.x86_64.rpm virtualbox-5.2.12-1.mga6.x86_64.rpm virtualbox-devel-5.2.12-1.mga6.x86_64.rpm virtualbox-guest-additions-5.2.12-1.mga6.x86_64.rpm x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64.rpm Prebuilt kmods will b built after kernel-4.14.40 is out
Assignee: tmb => qa-bugsDepends on: (none) => 22909
Updated to: - dkms-virtualbox-5.2.12-1.mga6.noarch - virtualbox-5.2.12-1.mga6.x86_64 And also retrieved and installed the extpack per https://bugs.mageia.org/show_bug.cgi?id=18962#c27 Host: my workstation i7, kernel-desktop-4.14.40-1.mga6-1-1.mga6.x86_64, Geforce GTX750 with nvidia-current 390.48-1.mga6 with CUDA & OpenCL detected OK in BOINC, LVM on LUKS, , Plasma5.12 etc Guest: Microsoft Windows 7 pro Simple test: windows update works, some apps, firefox... No audio, but i dont remember if i ever tried it before - never needed it here.
CC: (none) => fri
kmods are now built, so the added packages are: SRPMS: kmod-vboxadditions-5.2.12-1.mga6.src.rpm kmod-virtualbox-5.2.12-1.mga6.src.rpm i586: vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586.rpm vboxadditions-kernel-4.14.40-desktop586-1.mga6-5.2.12-1.mga6.i586.rpm vboxadditions-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.i586.rpm vboxadditions-kernel-desktop586-latest-5.2.12-1.mga6.i586.rpm vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.i586.rpm vboxadditions-kernel-server-latest-5.2.12-1.mga6.i586.rpm virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586.rpm virtualbox-kernel-4.14.40-desktop586-1.mga6-5.2.12-1.mga6.i586.rpm virtualbox-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.i586.rpm virtualbox-kernel-desktop586-latest-5.2.12-1.mga6.i586.rpm virtualbox-kernel-desktop-latest-5.2.12-1.mga6.i586.rpm virtualbox-kernel-server-latest-5.2.12-1.mga6.i586.rpm x86_64: boxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64.rpm vboxadditions-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.x86_64.rpm vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64.rpm vboxadditions-kernel-server-latest-5.2.12-1.mga6.x86_64.rpm virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64.rpm virtualbox-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.x86_64.rpm virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64.rpm virtualbox-kernel-server-latest-5.2.12-1.mga6.x86_64.rpm
CC: (none) => tmb
Whiteboard: MGA6TOO => (none)
Mageia 6, x86_64 Installed the desktop version and found the transition seamless. Booted three mga5 guests, one at a time and found no problems. Installed a large package on one and recovered saved state on another.
CC: (none) => tarazed25
on mga6-64 packages installed cleanly: - virtualbox-5.2.12-1.mga6.x86_64 - virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64 vbox re-launched normally extension pack updated cleanly on mga6-32 client: packages installed cleanly: - vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586 - vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.i586 - virtualbox-guest-additions-5.2.12-1.mga6.i586 - x11-driver-video-vboxvideo-5.2.12-1.mga6.i586 client re-launched normally on mga6-64 client packages installed cleanly: - vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64 - vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64 - virtualbox-guest-additions-5.2.12-1.mga6.x86_64 - x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64 client re-launched normally winxp and win7 clients: additions updated; re-started normally this update looks good for mga6-64 on this system
CC: (none) => jim
Installed this on Mageia 6, x86_64. Host 4.14.40-desktop-1.mga6 Mageia vbox guests launched fine and behaved normally. Upgraded the kernel in one vbox and rebooted without trouble. Installed scheduled updates. Leaving one 32-bit guest running for more longterm testing but at first look the update works fine.
Installed on Athlon X2 7750, 8GB, nvidia 340 graphics, atheros wifi, Plasma host system using the server kernel. Packages installed cleanly. Downloaded and updated extension pack. Ran Windows XP guest, downloaded and inserted new guest additions. Everything looks good. Ran a 64-bit Mageia guest that has not yet received the Grand Update. It ran fine, as far as I went with it, but I decided rather than go through the update yet again, I'll import a guest from another machine that has already had it done. But, as far as I went, it looks good on this hardware.
CC: (none) => andrewsfarm
Updated 64-bit packages on a HP 6550b host (i3, 8GB,Intel graphics, Intel wifi), Plasma system using the 4.14.40 desktop kernel. Packages installed cleanly. Downloaded and installed the extension pack. Ran Windows XP guest and inserted new guest additions. Also updated guest additions in both 64 and 32 bit Mageia 6 Plasma guests, along with vboxvideo driver. Everything appears to work as it should. No problems noted at all.
Blocks: (none) => 23075
On real hardware, M6, Plasma, 64-bit Package(s) under test: virtualbox install from update testing: kernel-desktop-latest virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo kernel-desktop-devel-latest dkms-nvidia-current The following 30 packages are going to be installed: - binutils-2.25.1-7.mga6.x86_64 - dkms-2.0.19-39.mga6.noarch - dkms-minimal-2.0.19-39.mga6.noarch - dkms-virtualbox-5.2.12-1.mga6.noarch - gcc-5.5.0-1.mga6.x86_64 - gcc-cpp-5.5.0-1.mga6.x86_64 - glibc-devel-2.22-28.mga6.x86_64 - isl-0.16.1-1.mga6.x86_64 - kernel-desktop-devel-4.14.40-1.mga6-1-1.mga6.x86_64 - kernel-desktop-devel-4.14.43-1.mga6-1-1.mga6.x86_64 - kernel-desktop-devel-latest-4.14.43-1.mga6.x86_64 - kernel-userspace-headers-4.14.43-1.mga6.x86_64 - lib64bzip2-devel-1.0.6-10.mga6.x86_64 - lib64elfutils-devel-0.169-1.mga6.x86_64 - lib64isl15-0.16.1-1.mga6.x86_64 - lib64lzma-devel-5.2.3-1.mga6.x86_64 - lib64mpc3-1.0.3-1.mga6.x86_64 - lib64ncurses-devel-6.0-8.1.mga6.x86_64 - lib64zlib-devel-1.2.11-4.1.mga6.x86_64 - libstdc++5-3.3.6-15.mga6.x86_64 - libstdc++5-devel-3.3.6-15.mga6.x86_64 - vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64 - vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64 - virtualbox-5.2.12-1.mga6.x86_64 - virtualbox-doc-5.1.30-1.mga6.noarch - virtualbox-guest-additions-5.2.12-1.mga6.x86_64 - virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64 - x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64 - xrandr-1.5.0-1.mga6.x86_64 312MB of additional disk space will be used. 79MB of packages will be retrieved. [root@localhost wilcal]# uname -a Linux localhost 4.14.43-desktop-1.mga6 #1 SMP Wed May 23 05:30:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop-latest Package kernel-desktop-latest-4.14.43-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox Package virtualbox-5.2.12-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest Package vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-virtualbox Package dkms-virtualbox-5.2.12-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi virtualbox-guest-additions Package virtualbox-guest-additions-5.2.12-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest Package virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi x11-driver-video-vboxvideo Package x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi kernel-desktop-devel-latest Package kernel-desktop-devel-latest-4.14.43-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-nvidia-current Package dkms-nvidia-current-390.59-1.mga6.nonfree.x86_64 is already installed [wilcal@localhost ~]$ lspci -k 00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller (rev 06) Subsystem: Gigabyte Technology Co., Ltd Device d000 Kernel driver in use: i915 Kernel modules: i915 Mageia-6-LiveDVD-Xfce-i586-DVD.iso md5sum: 911088471ddc24bc2d92084e19cec53 date: 7/11/17 M6 i586 Mate Live-DVD runs as a Vbox client. Boots to a working desktop. Common apps work. Screen sizes are correct. Mageia-6-LiveDVD-GNOME-x86_64-DVD.iso md5sum: 0511e13ba72f9fc6d155702d25704e1e date: 7/11/17 M6 x86_64 Gnome Live-DVD runs as a Vbox client. Boots to a working desktop. Common apps work. Screen sizes are correct. Mageia-6-x86_64-DVD.iso md5sum: 55e20da532496124e6e720896fdf9fe4 date: 7/15/17 M6 x86_64 CI installed and then updated ( 332 files ). Hardware used: Intel Core i5-4460 Haswell Quad-Core 3.2GHz LGA 115 Gigabyte GA-B85M-D3H LGA 1150 Intel B85 chipset Integrated Graphics Processor - Intel HD Graphics support Audito chipset - Realtek ALC892, 7.1 channels Corsair Vengeance 8GB ( 2 x 4GB ) 240-pin DDR3 SDRAM 1600
CC: (none) => wilcal.int
Looks like no one has had any problems with this. OKing for 64-bit. Is there any reason why it shouldn't be pushed, so that the kmods for the new kernel can be built?
Whiteboard: (none) => MGA6-64-OK
Advisory (added to svn), validating to get new kernel kmods out type: security subject: Updated virtualbox packages fix security vulnerabilities CVE: - CVE-2018-0739 - CVE-2018-2830 - CVE-2018-2831 - CVE-2018-2835 - CVE-2018-2836 - CVE-2018-2837 - CVE-2018-2842 - CVE-2018-2843 - CVE-2018-2844 - CVE-2018-2845 - CVE-2018-2860 src: 6: core: - virtualbox-5.2.12-1.mga6 - kmod-virtualbox-5.2.12-1.mga6 - kmod-vboxadditions-5.2.12-1.mga6 description: | This update provides virtualbox 5.2.12 and fixes the following security issues: Unauthorized remote attacker may have caused a hang or frequently repeatable crash (complete DOS) (CVE-2018-0739). Attacker with host login may have compromised Virtualbox or further system services after interaction with a third user (CVE-2018-2830). Attacker with host login may have compromised VirtualBox or further system services, allowing read access to some data (CVE-2018-2831). Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user (CVE-2018-2835, CVE-2018-2836, CVE-2018-2837, CVE-2018-2842, CVE-2018-2843, CVE-2018-2844). Attacker with host login may have caused a hang or frequently repeatable crash (complete DOS), and perform unauthorized read and write operation to some VirtualBox accessible data (CVE-2018-2845). Privileged attacker may have gained control over VirtualBox and possibly further system services (CVE-2018-2860). For other fixes in this update, see the referenced changelog references: - https://bugs.mageia.org/show_bug.cgi?id=22930 - https://www.virtualbox.org/wiki/Changelog - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0257.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED