<https://www.freshports.org/vuxml.php?package=virtualbox-ose> does include the two vulnerabilities that are under <https://www.oracle.com/security-alerts/cpujul2022.html#AppendixOVIR>. I have not checked whether preceding vulnerabilities are documented. Subsequent vulnerabilities, not documented: <https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixOVIR> <https://www.oracle.com/security-alerts/cpujan2023.html#AppendixOVIR> <https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixOVIR>
^Triage: reporter is committer, assign accordingly. Tip: cd security/vuxml && make newentry CVE_ID=CVE-YYYY-NNNNN
In an earlier report I noted that this type of work will be better done by someone with relevant experience. Thanks.
(In reply to Graham Perrin from comment #2) I wonder how those other people acquired that experience... Maybe the tried *a first time*?
(In reply to Fernando Apesteguía from comment #3) Bug reports are not the place to discuss things such as this, but since I'm being pushed, here goes. ---- I take a fairly conscientious approach to security vulnerabilities and other security issues. This approach will not extend, in the near future, to learning more about VuXML. I strike a balance between: a) the many other things that remain to be learnt – for my day job, and for volunteer contributions in areas such as the FreeBSD Project b) the need to keep myself motivated whilst sometimes deeply frustrated – this means, leaning towards things that I enjoy c) the need for appropriate learning paths – please be reminded that I am dyslexic. I linked to my profile, in Phabricator, when I introduced myself to developers@ after gaining a doc commit bit. There are, simply, too many things to learn; and the Project has too few volunteers. Pushing me in a direction that's unwanted, when I'm already overly busy and/or frustrated in areas that are far more important (or essential) to me, will surely reduce my readiness to volunteer. Please consider using the next FreeBSD Project status report as a medium to call for help; and the FreeBSD Journal as a medium through which people might be taught. Thank you
With the Oracle-supported 6.1 branch <https://www.virtualbox.org/wiki/Changelog-6.1> currently at 6.1.44 As far as I can tell, from a FreeBSD-CURRENT perspective, <https://cgit.freebsd.org/ports/commit/?id=1d37fcd8316a078e512852b7c565b5b2cf2dcbcd> (2023-05-15), its cherry-pick to 2023Q2, and other 6.1-related commits negated the need to mark as FORBIDDEN. % uname -r 14.0-CURRENT % pkg search virtualbox | grep -v 6.1.44 phpvirtualbox-6.1_1 AJAX Web Interface for VirtualBox phpvirtualbox-legacy-5.2.1_2 AJAX Web Interface for VirtualBox virtualbox-ose-additions-legacy-5.2.44_5 VirtualBox additions for FreeBSD guests virtualbox-ose-additions-nox11-legacy-5.2.44_4 VirtualBox additions for FreeBSD guests virtualbox-ose-kmod-legacy-5.2.44_7 VirtualBox kernel module for FreeBSD % In addition: we might reasonably assume that ports of the 5.2 branch are vulnerable, however these are no longer supported by Oracle (and so, we can't expect vulnerabilities to be documented by Oracle).
*** Bug 272586 has been marked as a duplicate of this bug. ***
From the duplicate report, condensed (corrected) to a list of five: emulators/virtualbox-ose emulators/virtualbox-ose-additions emulators/virtualbox-ose-additions-nox11 emulators/virtualbox-ose-kmod emulators/virtualbox-ose-nox11 <https://www.freshports.org/search.php?stype=name&method=match&query=virtualbox-ose&num=20&orderby=port&orderbyupdown=asc&search=Search&format=html&minimal=1&branch=head>
Created attachment 243493 [details] emulators/virtualbox-ose-6.1.44 CVE I think correctly this captures the 4 CVEs. John groenveld@acm.rog
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7be06437cf4dde2f4e096c225bebe415225f64ab commit 7be06437cf4dde2f4e096c225bebe415225f64ab Author: Patrick R Groeneveld <groenveld@acm.org> AuthorDate: 2023-07-20 06:40:26 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-07-20 06:40:26 +0000 security/vuxml: Document vulnerabilities in emulators/virtualbox-ose* ChangeLog: https://www.oracle.com/security-alerts/ PR: 271141 Reported by: grahamperrin@freebsd.org security/vuxml/vuln/2023.xml | 112 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 111 insertions(+), 1 deletion(-)
<https://www.oracle.com/security-alerts/cpujul2023.html#AppendixOVIR> The fix for bug 272572 negates the need to mark things FORBIDDEN.