Bug 247987

Summary:	security/vuxml: emulators/virtualbox-ose 23 CVEs
Product:	Ports & Packages	Reporter:	VVD <vvd>
Component:	Individual Port(s)	Assignee:	Guido Falsi <madpilot>
Status:	Closed FIXED
Severity:	Affects Many People	CC:	madpilot, ports-secteam, vbox
Priority:	Normal	Keywords:	security
Version:	Latest	Flags:	koobs: maintainer-feedback+
Hardware:	Any
OS:	Any
URL:	https://www.oracle.com/security-alerts/cpujul2020.html#AppendixOVIR
Bug Depends on:	244212
Bug Blocks:

Description VVD 2020-07-15 02:53:47 UTC

This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here: https://www.oracle.com/security-alerts/cpujul2020verbose.html#OVIR

Notes:
1. The CVE-2020-14628 is applicable to Windows VM only.
2. The CVE-2020-14711 is applicable to macOS host only.

Comment 1 Kubilay Kocak freebsd_committer

2020-07-16 03:50:44 UTC

Thank you for the report. What is the version that we need to update to to address these vulnerabilities in each branch?

Comment 2 VVD 2020-07-16 04:01:36 UTC

> Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12.

Fixed in 5.2.44 (5.2.34 in ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244212), 6.0.24 and 6.1.12 (both not in ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234878).

Comment 3 Guido Falsi freebsd_committer

2020-07-19 09:24:35 UTC

CVEs added to vuxml in r542548

Thanks for reporting!