The July 2021 Oracle CPU lists security issues fixed in VirtualBox 6.1.24: https://www.oracle.com/security-alerts/cpujul2021.html#AppendixOVIR 6.1.24 also fixes several other bugs: https://www.virtualbox.org/wiki/Changelog-6.1#v24
Yep, I know. And Cauldron is already updated I just need the current kernel updates to go out before pushing this one for the kmods
SRPMS: virtualbox-6.1.24-1.mga8.src.rpm kmod-virtualbox-6.1.24-1.1.mga8.src.rpm i586: virtualbox-6.1.24-1.mga8.i586.rpm virtualbox-guest-additions-6.1.24-1.mga8.i586.rpm x86_64: dkms-virtualbox-6.1.24-1.mga8.x86_64.rpm python-virtualbox-6.1.24-1.mga8.x86_64.rpm virtualbox-6.1.24-1.mga8.x86_64.rpm virtualbox-devel-6.1.24-1.mga8.x86_64.rpm virtualbox-guest-additions-6.1.24-1.mga8.x86_64.rpm virtualbox-kernel-5.10.52-desktop-1.mga8-6.1.24-1.1.mga8.x86_64.rpm virtualbox-kernel-5.10.52-server-1.mga8-6.1.24-1.1.mga8.x86_64.rpm virtualbox-kernel-desktop-latest-6.1.24-1.1.mga8.x86_64.rpm virtualbox-kernel-server-latest-6.1.24-1.1.mga8.x86_64.rpm
Assignee: tmb => qa-bugs
Suggested Advisory: ======================== Updated virtualbox packages fix security vulnerabilities: Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox (CVE-2021-2409). Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox (CVE-2021-2442). Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. Note: This vulnerability applies to Solaris x86 and Linux systems only (CVE-2021-2443). Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox (CVE-2021-2454). The virtualbox packages are upgraded to 6.1.24 maintenance release which fixes theses security issues among other bugfixes. See upstream release notes. References: - https://bugs.mageia.org/show_bug.cgi?id=29279 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2409 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2442 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2443 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2454 - https://www.virtualbox.org/wiki/Changelog-6.1#v24 - https://www.oracle.com/security-alerts/cpujul2021.html#AppendixOVIR ======================== Updated packages in core/updates_testing: ======================== virtualbox-6.1.24-1.mga8.i586.rpm virtualbox-guest-additions-6.1.24-1.mga8.i586.rpm x86_64: dkms-virtualbox-6.1.24-1.mga8.x86_64.rpm python-virtualbox-6.1.24-1.mga8.x86_64.rpm virtualbox-6.1.24-1.mga8.x86_64.rpm virtualbox-devel-6.1.24-1.mga8.x86_64.rpm virtualbox-guest-additions-6.1.24-1.mga8.x86_64.rpm virtualbox-kernel-5.10.52-desktop-1.mga8-6.1.24-1.1.mga8.x86_64.rpm virtualbox-kernel-5.10.52-server-1.mga8-6.1.24-1.1.mga8.x86_64.rpm virtualbox-kernel-desktop-latest-6.1.24-1.1.mga8.x86_64.rpm virtualbox-kernel-server-latest-6.1.24-1.1.mga8.x86_64.rpm from SRPM: virtualbox-6.1.24-1.mga8.src.rpm kmod-virtualbox-6.1.24-1.1.mga8.src.rpm
CC: (none) => ouaurelien
MGA8-64 Install OK over existing 6.1.22 version. Rebooting. Runs virtualbox GUI ok Runs some VM OK. Creating BIOS-based VM OK. Creating EFI-based VM with default preset. Still broken. This invariably goes to an EFI-shell. Devices seem to be visible by shell (EDK) but all Mageia ISO do not boot. (Other ISO (openSUSE, KDE Neon, Kubuntu) do not boot in EFI mode).
https://bugs.mageia.org/show_bug.cgi?id=28330 Still the case.
(In reply to Aurelien Oudelet from comment #5) > https://bugs.mageia.org/show_bug.cgi?id=28330 > > Still the case. Yeah that's an upstream issue. I even saw that running 6.1.24 on RHEL7 and Windows with a RHEL8 VM.
Keywords: (none) => advisory
HP Probook 6550b, mga8-64 Plasma system. No installation issues. After downloading it, installed the extension pack using the gui without incident. The only guests I happen to have on this system are a 32-bit Windows XP and a 64-bit Windows 7 Professional. Both run OK, for Windows, and after a few Windows peculiarities I was able to install guest additions on each. I had to remove a virtual optical disk before I could insert the recently downloaded one, and with Windows XP the inserted CD failed to autostart. These both seem where they might be normal for Windows, but I don't have enough experience to know for sure. Even if these are problems, they are upstream issues, and have nothing to do with us. I may see if I can install a mga8 guest tomorrow, if it rains and I can't go fishing.
CC: (none) => andrewsfarm
We seem to be missing virtualbox-kernel for latest backport kernel.
CC: (none) => fri
(In reply to Morgan Leijström from comment #8) > We seem to be missing virtualbox-kernel for latest backport kernel. If you're referring to a kernel in a testing repo, it's not unusual for the kernel to have a version built without the kmod packages (including vb kernel) to test some kernel changes in advance of additional changes expected before the kernel will be an update candidate. Such a kernel update is only for preliminary testing, never intended for release beyond qa or specific bug fix testing. When testing such a kernel, packages that require kmod drivers have to be excluded from the testing. Any testing of packages that need the kmod drivers should be done while booting the latest released kernel update.
CC: (none) => davidwhodgins
(In reply to Morgan Leijström from comment #8) > We seem to be missing virtualbox-kernel for latest backport kernel. It wont be built until this update is validated and pushed, as currently the buildsystem does not add updates_testing as media during backports_testing builds.
Was able to create a new Mageia 8 guest on the hardware from Comment 7. Had a little trouble at first getting it to boot correctly, but that was because of the display settings I used, rather than anything to do with this update. So, as far as I can test on vacation, this is good to go.
OK running on kernel 5.10.52-desktop-1, Plasma, nvidia-current Launching my existing windows 7 64 bit guest, my usual tests regarding USB, video with sound on internet, host file sharing, bidirectional clipboard...
No regressions noticed with multiple guests on two different hosts. Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0385.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
(In reply to Thomas Backlund from comment #10) > (In reply to Morgan Leijström from comment #8) > > We seem to be missing virtualbox-kernel for latest backport kernel. > > It wont be built until this update is validated and pushed, as currently the > buildsystem does not add updates_testing as media during backports_testing > builds. backports_testing kmods available: virtualbox-kernel-5.13.4-desktop-1.mga8-6.1.24-2.1.mga8.x86_64.rpm virtualbox-kernel-5.13.4-server-1.mga8-6.1.24-2.1.mga8.x86_64.rpm virtualbox-kernel-desktop-latest-6.1.24-2.1.mga8.x86_64.rpm virtualbox-kernel-server-latest-6.1.24-2.1.mga8.x86_64.rpm
How about for the updates_testing kernel?
(In reply to David Walser from comment #16) > How about for the updates_testing kernel? the backports_testing set is for the kernel already validated in backports. And there is new kernels coming to updates_testing, so I usually dont rebuild kmods for every set, but I probably will for 5.10.54 / 5.13.6 as there are several upstream regressions I want to fix...
Tested OK with kernel 5.13.4-desktop-1 64 bit: virtualbox-kernel-5.13.4-desktop-1.mga8-6.1.24-2.1.mga8.x86_64.rpm Same tests as in comment 12
And 6.1.26 is already out. Oof. The world moves too fast.