Your message dated Wed, 25 Jan 2023 11:41:06 +0000
with message-id <e1pke9k-003ixm...@fasolo.debian.org>
and subject line Bug#1029153: fixed in virtualbox 7.0.6-dfsg-1
has caused the Debian Bug report #1029153,
regarding virtualbox: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886
CVE-2023-21889 CVE-2023-21898 CVE-2023-21899
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1029153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: virtualbox
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for virtualbox.
Fixed in 7.0.6
CVE-2023-21884[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows high privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base
| Score 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21885[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. While the vulnerability is in Oracle VM
| VirtualBox, attacks may significantly impact additional products
| (scope change). Successful attacks of this vulnerability can result in
| unauthorized read access to a subset of Oracle VM VirtualBox
| accessible data. Note: Applies to Windows only. CVSS 3.1 Base Score
| 3.8 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).
CVE-2023-21886[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Difficult to exploit
| vulnerability allows unauthenticated attacker with network access via
| multiple protocols to compromise Oracle VM VirtualBox. Successful
| attacks of this vulnerability can result in takeover of Oracle VM
| VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and
| Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2023-21889[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. While the vulnerability is in Oracle VM
| VirtualBox, attacks may significantly impact additional products
| (scope change). Successful attacks of this vulnerability can result in
| unauthorized read access to a subset of Oracle VM VirtualBox
| accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality impacts).
| CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).
CVE-2023-21898[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies
| to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21899[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies
| to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-21884
https://www.cve.org/CVERecord?id=CVE-2023-21884
[1] https://security-tracker.debian.org/tracker/CVE-2023-21885
https://www.cve.org/CVERecord?id=CVE-2023-21885
[2] https://security-tracker.debian.org/tracker/CVE-2023-21886
https://www.cve.org/CVERecord?id=CVE-2023-21886
[3] https://security-tracker.debian.org/tracker/CVE-2023-21889
https://www.cve.org/CVERecord?id=CVE-2023-21889
[4] https://security-tracker.debian.org/tracker/CVE-2023-21898
https://www.cve.org/CVERecord?id=CVE-2023-21898
[5] https://security-tracker.debian.org/tracker/CVE-2023-21899
https://www.cve.org/CVERecord?id=CVE-2023-21899
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: virtualbox
Source-Version: 7.0.6-dfsg-1
Done: Gianfranco Costamagna <locutusofb...@debian.org>
We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofb...@debian.org> (supplier of updated
virtualbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Jan 2023 12:16:26 +0100
Source: virtualbox
Built-For-Profiles: noudeb
Architecture: source
Version: 7.0.6-dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Virtualbox Team <team+debian-virtual...@tracker.debian.org>
Changed-By: Gianfranco Costamagna <locutusofb...@debian.org>
Closes: 1029153
Changes:
virtualbox (7.0.6-dfsg-1) unstable; urgency=medium
.
* New upstream version 7.0.6-dfsg (Closes: #1029153)
* Refresh patches, drop upstream patches
* Update manpages
Checksums-Sha1:
b243b7a1bbb99212f730ac15f2d23c23c9c48a86 3511 virtualbox_7.0.6-dfsg-1.dsc
4f608124fb082419382b7aa839e19d546b3bd6cc 78777048
virtualbox_7.0.6-dfsg.orig.tar.xz
2111c7ea6dbc5df0eb671f7e7bab40985bd297fe 78260
virtualbox_7.0.6-dfsg-1.debian.tar.xz
b6b0c2deef3d77d416cea725c64811fa4be225d0 23781
virtualbox_7.0.6-dfsg-1_source.buildinfo
Checksums-Sha256:
a65c4b01064c9d32a01816596432264cac7a0320f2a9598088f6f4299e8ace92 3511
virtualbox_7.0.6-dfsg-1.dsc
b0c26aae6ed175f0409d560c8e668030908cac58ec9db8c054d4c3655b8a2071 78777048
virtualbox_7.0.6-dfsg.orig.tar.xz
57c8abe5dcae5b8dfceea7812eedb41df52af68c83885e34e0273c95688ca043 78260
virtualbox_7.0.6-dfsg-1.debian.tar.xz
398318003c687e59b7dd270a050287c92e88025e7cfaab02dd909a9edac3f371 23781
virtualbox_7.0.6-dfsg-1_source.buildinfo
Files:
81315e2304a36061e199a431d2bdddff 3511 contrib/misc optional
virtualbox_7.0.6-dfsg-1.dsc
bb08c15030bf6ae328c322c7cfc12568 78777048 contrib/misc optional
virtualbox_7.0.6-dfsg.orig.tar.xz
849862f98cf1e9f776218938ba61d6c2 78260 contrib/misc optional
virtualbox_7.0.6-dfsg-1.debian.tar.xz
11294b880b4a70fe1416025285bb159e 23781 contrib/misc optional
virtualbox_7.0.6-dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmPREboACgkQ808JdE6f
XdmNag/9Gx0v50tTABfdz9FehtHGXbBEf/unhnr7mV0H3kTEunL+Uh1xZvv0gmSz
lImQambmfYNvc8JIrKFwbuxxDPNyPKczwj54r08C+fAFFFSzdzOvqElM5x3ZzQFc
Wf+DNTSuLWCcfhyPZmUqZsJHIIhjAo5wxjt61f9v5ljpLjlnJQETRAoOHn4x3FRH
mkQ6qtF+KJd61gOc1nkbgWLjE0weIap7/Z6f78ioc3IzroHKwIsHRaQJReWKmh1C
1xiElVE1rQYAfwfPD3tOKR+xhKC79gRYdrKGjeXxP8g3/I9dXA8dOPFKq6CQmvZz
FK/pF7iznJfk5NaCvj3ng9CsPFZnN640x3CLRlxp+KYBv04G+3o/GYcxn8WjVLaC
yD+uGOFU0qHb22zPjyDmyotlKOiHX2bCwigJ+savFD4/gE0GV57KkenezLZLwVdZ
2Gx8O5sQ2ZYi7kZxTs7MDScN3CC2ClcjneW4Ktpz/qMwd7W5uGpF7PCoIWnUcfVG
PwEvrZk9XENU6CW+L9TBAxKcdfBtvOujlEqdeOB3xGosERIirRJHr64XjFzac8rb
rB+HTaUHO+BpFjWiQ71NHvU6ELJ6A72QjgztXi0JhLdQYT5IAgqpEbmmzUofoQ7k
gWrdmUulCH3hfjKXSmoeoyecXMAXIJVLiWcDA9niCsJ6ZgRVKKo=
=UwgX
-----END PGP SIGNATURE-----
--- End Message ---
