October 2018 Oracle CPU says VirtualBox 5.2.20 fixed several security issues: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR https://www.virtualbox.org/wiki/Changelog#20
Whiteboard: (none) => MGA6TOO
Advisory will follow... SRPMS: kmod-vboxadditions-5.2.20-1.mga6.src.rpm kmod-virtualbox-5.2.20-1.mga6.src.rpm virtualbox-5.2.20-1.mga6.src.rpm i586: dkms-vboxadditions-5.2.20-1.mga6.noarch.rpm dkms-virtualbox-5.2.20-1.mga6.noarch.rpm python-virtualbox-5.2.20-1.mga6.i586.rpm vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.i586.rpm vboxadditions-kernel-4.14.78-desktop586-1.mga6-5.2.20-1.mga6.i586.rpm vboxadditions-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.i586.rpm vboxadditions-kernel-desktop586-latest-5.2.20-1.mga6.i586.rpm vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.i586.rpm vboxadditions-kernel-server-latest-5.2.20-1.mga6.i586.rpm virtualbox-5.2.20-1.mga6.i586.rpm virtualbox-devel-5.2.20-1.mga6.i586.rpm virtualbox-guest-additions-5.2.20-1.mga6.i586.rpm virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.i586.rpm virtualbox-kernel-4.14.78-desktop586-1.mga6-5.2.20-1.mga6.i586.rpm virtualbox-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.i586.rpm virtualbox-kernel-desktop586-latest-5.2.20-1.mga6.i586.rpm virtualbox-kernel-desktop-latest-5.2.20-1.mga6.i586.rpm virtualbox-kernel-server-latest-5.2.20-1.mga6.i586.rpm x11-driver-video-vboxvideo-5.2.20-1.mga6.i586.rpm x86_64: dkms-vboxadditions-5.2.20-1.mga6.noarch.rpm dkms-virtualbox-5.2.20-1.mga6.noarch.rpm python-virtualbox-5.2.20-1.mga6.x86_64.rpm vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64.rpm vboxadditions-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.x86_64.rpm vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.x86_64.rpm vboxadditions-kernel-server-latest-5.2.20-1.mga6.x86_64.rpm virtualbox-5.2.20-1.mga6.x86_64.rpm virtualbox-devel-5.2.20-1.mga6.x86_64.rpm virtualbox-guest-additions-5.2.20-1.mga6.x86_64.rpm virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64.rpm virtualbox-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.x86_64.rpm virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64.rpm virtualbox-kernel-server-latest-5.2.20-1.mga6.x86_64.rpm x11-driver-video-vboxvideo-5.2.20-1.mga6.x86_64.rpm
Assignee: tmb => qa-bugsWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
on mga6-64 plasma packages installed cleanly - dkms-virtualbox-5.2.20-1.mga6.noarch - virtualbox-5.2.20-1.mga6.x86_64 - virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64 vbox relaunched normally extension pack upgraded cleanly mga6-32 (plasma) and mga6-64 (plasma) clients launched normally updated vboxadditions and vboxvideo on mga6-32 and mga6-64 clients both re-launched normally no regressions noted OK for mga6-64 on this system: Machine: Device: desktop System: Dell product: Precision Tower 3620 Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.11.0 CPU: Quad core Intel Core i7-6700 (-HT-MCP-) Graphics: Card: Intel HD Graphics 530
CC: (none) => jim
Whiteboard: (none) => MGA6-64-OK
On an HP Probook 6550b host, i3, 8GB, Intel graphics, Intel wifi, 64-bit Plasma system. This system does not have dkms-virtualbox installed by design, to ensure that the pre-built kernel modules are tested, and not those built locally. None of the Mageia guests have dkms installed, for the same reason. Packages installed cleanly. - virtualbox-5.2.20-1.mga6.x86_64 - virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64 VirtualBox launched normally, extension pack downloaded and installed without incident. Mageia 6 32-bit and 64-bit Plasma guests run, updated, rebooted, and vboxadditions updated to version 5.2.20. Windows XP guest run, guest additions downloaded and updated, antimalware program updated after scolding. All guests run normally. Ok on this hardware.
CC: (none) => andrewsfarm
Used the above install to create a new Mageia 6.1 Plasma guest, and update it. Everything worked as expected.
On real hardware, M6, Plasma, 64-bit Package(s) under test: virtualbox default install of packages: kernel-desktop-latest virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo kernel-desktop-devel-latest The following 10 packages are going to be installed: - dkms-virtualbox-5.2.18-1.mga6.noarch - vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.18-10.mga6.x86_64 - vboxadditions-kernel-desktop-latest-5.2.18-10.mga6.x86_64 - virtualbox-5.2.18-1.mga6.x86_64 - virtualbox-doc-5.1.30-1.mga6.noarch - virtualbox-guest-additions-5.2.18-1.mga6.x86_64 - virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.18-10.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.2.18-10.mga6.x86_64 - x11-driver-video-vboxvideo-5.2.18-1.mga6.x86_64 - xrandr-1.5.0-1.mga6.x86_64 [root@localhost wilcal]# uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop-latest Package kernel-desktop-latest-4.14.78-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox Package virtualbox-5.2.18-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest Package vboxadditions-kernel-desktop-latest-5.2.18-10.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-virtualbox Package dkms-virtualbox-5.2.18-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi virtualbox-guest-additions Package virtualbox-guest-additions-5.2.18-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest Package virtualbox-kernel-desktop-latest-5.2.18-10.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi x11-driver-video-vboxvideo Package x11-driver-video-vboxvideo-5.2.18-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi kernel-desktop-devel-latest Package kernel-desktop-devel-latest-4.14.78-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-nvidia-current Package dkms-nvidia-current-390.87-1.mga6.nonfree.x86_64 is already installed [wilcal@localhost ~]$ lspci -k 01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1) Subsystem: Gigabyte Technology Co., Ltd Device 3518 Kernel driver in use: nvidia Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia_current Mageia-6-LiveDVD-Xfce-i586-DVD.iso Boots to a working desktop. Common apps work. Screen sizes are correct. install from updates testing: kernel-desktop-latest virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo kernel-desktop-devel-latest The following 8 packages are going to be installed: - dkms-virtualbox-5.2.20-1.mga6.noarch - vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64 - vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.x86_64 - virtualbox-5.2.20-1.mga6.x86_64 - virtualbox-guest-additions-5.2.20-1.mga6.x86_64 - virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64 - x11-driver-video-vboxvideo-5.2.20-1.mga6.x86_64 [root@localhost wilcal]# uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop-latest Package kernel-desktop-latest-4.14.78-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox Package virtualbox-5.2.20-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest Package vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-virtualbox Package dkms-virtualbox-5.2.20-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi virtualbox-guest-additions Package virtualbox-guest-additions-5.2.20-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest Package virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi x11-driver-video-vboxvideo Package x11-driver-video-vboxvideo-5.2.20-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi kernel-desktop-devel-latest Package kernel-desktop-devel-latest-4.14.78-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-nvidia-current Package dkms-nvidia-current-390.87-1.mga6.nonfree.x86_64 is already installed [wilcal@localhost ~]$ lspci -k 01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1) Subsystem: Gigabyte Technology Co., Ltd Device 3518 Kernel driver in use: nvidia Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia_current Mageia-6-LiveDVD-GNOME-x86_64-DVD.iso M6 x86_64 Gnome Live-DVD runs as a Vbox client. Boots to a working desktop. Common apps work. Screen sizes are correct. Mageia-6.1-LiveDVD-Plasma-x86_64-DVD.iso Installs, updates then boots back to a working desktop. Hardware used: Intel Core i5-4460 Haswell Quad-Core 3.2GHz LGA 115 Gigabyte GA-B85M-D3H LGA 1150 Intel B85 chipset Integrated Graphics Processor - Intel HD Graphics support Audito chipset - Realtek ALC892, 7.1 channels Corsair Vengeance 8GB ( 2 x 4GB ) 240-pin DDR3 SDRAM 1600
CC: (none) => wilcal.int
Host hardware: Athlon X2 7750, 8GB RAM, Nvidia 9800 GT graphics(nvidia340 driver), Atheros wifi. Host is running a 64-bit Plasma system, using the server kernel. As with the system in Comment 3, this system does not have dkms-virtualbox installed, to ensure that the pre-built kernel modules would be the ones used. guest systems: 1 64-bit MGA6 Plasma system, 1 32-bit MGA6 Plasma system, and one Windows XP system. Host packages installed cleanly, host extension pack updated without incident. Each guest, in turn, was updated, and all packages in them installed cleanly, as well. Looks good on this hardware.
I updated this on a third 64-bit install, then exported guests from the machine in Comment 3 and imported them into this third install. All without incident, and all worked fine in the new install afterward. I see no reason to hold this back any longer. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory, added to svn: type: security subject: Updated virtualbox packages fix security vulnerabilities CVE: - CVE-2018-0732 - CVE-2018-2909 - CVE-2018-3287 - CVE-2018-3288 - CVE-2018-3289 - CVE-2018-3290 - CVE-2018-3291 - CVE-2018-3292 - CVE-2018-3293 - CVE-2018-3294 - CVE-2018-3295 - CVE-2018-3296 - CVE-2018-3297 - CVE-2018-3298 src: 6: core: - virtualbox-5.2.20-1.mga6 - kmod-virtualbox-5.2.20-1.mga6 - kmod-vboxadditions-5.2.20-1.mga6 description: | This update provides virtualbox 5.2.20 and fixes the following security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732). Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with logon to the infrastructure where VirtualBox executes to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288, CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298). Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with llow privileged attacker with network access via VRDP to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-3294). For other fixes in this update, see the referenced changelog. references: - https://bugs.mageia.org/show_bug.cgi?id=23719 - https://www.virtualbox.org/wiki/Changelog#20 - https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0437.html
Status: NEW => RESOLVEDResolution: (none) => FIXED