247987 – security/vuxml: emulators/virtualbox-ose 23 CVEs

Bug 247987 - security/vuxml: emulators/virtualbox-ose 23 CVEs

Summary: security/vuxml: emulators/virtualbox-ose 23 CVEs

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Guido Falsi

URL:	https://www.oracle.com/security-alert...
Keywords:	security

Depends on:	244212
Blocks:
	Show dependency tree / graph

Reported:	2020-07-15 02:53 UTC by VVD
Modified:	2020-07-19 09:28 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	koobs: maintainer-feedback+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description VVD 2020-07-15 02:53:47 UTC

This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here: https://www.oracle.com/security-alerts/cpujul2020verbose.html#OVIR

Notes:
1. The CVE-2020-14628 is applicable to Windows VM only.
2. The CVE-2020-14711 is applicable to macOS host only.

Comment 1 Kubilay Kocak freebsd_committer

2020-07-16 03:50:44 UTC

Thank you for the report. What is the version that we need to update to to address these vulnerabilities in each branch?

Comment 2 VVD 2020-07-16 04:01:36 UTC

> Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12.

Fixed in 5.2.44 (5.2.34 in ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244212), 6.0.24 and 6.1.12 (both not in ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234878).

Comment 3 Guido Falsi freebsd_committer

2020-07-19 09:24:35 UTC

CVEs added to vuxml in r542548

Thanks for reporting!