From ${URL} : Description A weakness has been reported in Oracle VirtualBox Extension Pack, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to the CBC ciphersuite of the Transport Layer Security (TLS) implementation exposing timing differences when verifying the padding checks. This can be exploited to recover parts of the plaintext via a timing attack. The vulnerability is reported in versions 4.2 prior to 4.2.12 and 4.1 prior to 4.1.26. Solution Update to version 4.2.12 or 4.1.26. Original Advisory https://blogs.oracle.com/sunsecurity/entry/cve_2013_0169_lucky_thirteen @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
As I said in IRC both versions are already in the tree. But we will stabilize the 4.1.26 series which consists of the following packages: ~app-emulation/virtualbox-4.1.26 ~app-emulation/virtualbox-additions-4.1.26 ~app-emulation/virtualbox-bin-4.1.26 ~app-emulation/virtualbox-extpack-oracle-4.1.26 ~app-emulation/virtualbox-guest-additions-4.1.26 ~app-emulation/virtualbox-modules-4.1.26 ~x11-drivers/xf86-video-virtualbox-4.1.26 4.2.x still isn't ready for stabilization yet. 4.1.x is quite stable and should IMHO not contain any surprises for our users. @security: you have my go to process this bug as you think is best.
No action from security so let's process this one... Arches please test and mark stable the packages mentioned in comment #1 Target keywords for all packages are: amd64 x86
amd64 stable
x86 stable
GLSA vote: no.
GLSA vote: no Closing as noglsa
