Bug 247987

Summary: security/vuxml: emulators/virtualbox-ose 23 CVEs
Product: Ports & Packages Reporter: VVD <vvd>
Component: Individual Port(s)Assignee: Guido Falsi <madpilot>
Status: Closed FIXED    
Severity: Affects Many People CC: madpilot, ports-secteam, vbox
Priority: Normal Keywords: security
Version: LatestFlags: koobs: maintainer-feedback+
Hardware: Any   
OS: Any   
URL: https://www.oracle.com/security-alerts/cpujul2020.html#AppendixOVIR
Bug Depends on: 244212    
Bug Blocks:    

Description VVD 2020-07-15 02:53:47 UTC
This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here: https://www.oracle.com/security-alerts/cpujul2020verbose.html#OVIR

1. The CVE-2020-14628 is applicable to Windows VM only.
2. The CVE-2020-14711 is applicable to macOS host only.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-16 03:50:44 UTC
Thank you for the report. What is the version that we need to update to to address these vulnerabilities in each branch?
Comment 2 VVD 2020-07-16 04:01:36 UTC
> Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12.

Fixed in 5.2.44 (5.2.34 in ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244212), 6.0.24 and 6.1.12 (both not in ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234878).
Comment 3 Guido Falsi freebsd_committer 2020-07-19 09:24:35 UTC
CVEs added to vuxml in r542548

Thanks for reporting!