Summary: | <app-emulation/virtualbox{-bin}-{5.2.36,6.0.16,6.1.2}: Multiple vulnerabilities (CVE-2019-{2926,2944,2984,3002,3005,3017,3021,3026,3028,3031},CVE-2020-{2674,2678,2681,2682,2689,2690,2691,2692,2693,2698,2701,2702,2703,2704,2705,2725,2726,2727,2742,2743}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, polynomial-c |
Priority: | Normal | Keywords: | STABLEREQ |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=717626 https://bugs.gentoo.org/show_bug.cgi?id=717782 |
||
Whiteboard: | B2 [glsa+ cve blocked] | ||
Package list: |
app-emulation/virtualbox-5.2.36
app-emulation/virtualbox-modules-5.2.36
app-emulation/virtualbox-guest-additions-5.2.36
app-emulation/virtualbox-extpack-oracle-5.2.36.135684
app-emulation/virtualbox-bin-5.2.36.135684
app-emulation/virtualbox-additions-5.2.36
|
Runtime testing required: | --- |
Bug Depends on: | 717626 | ||
Bug Blocks: |
Description
Sam James
2020-03-23 13:21:20 UTC
@maintainer(s): the only vulnerable version still in tree is 5.2.32. Please cleanup this version. (In reply to sam_c (Security Padawan) from comment #1) > @maintainer(s): the only vulnerable version still in tree is 5.2.32. Please > cleanup this version. Sorry, please advise if you're ready for stabilisation of a newer version, or call yourself. An automated check of this bug failed - the following atom is unknown: app-emulation/virtualbox-bin-5.2.36 Please verify the atom list. amd64 stable New GLSA request filed. This issue was resolved and addressed in GLSA 202004-02 at https://security.gentoo.org/glsa/202004-02 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. @x86: ping CVE-2020-2743 (https://nvd.nist.gov/vuln/detail/CVE-2020-2743): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). CVE-2020-2742 (https://nvd.nist.gov/vuln/detail/CVE-2020-2742): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2020-2701 (https://nvd.nist.gov/vuln/detail/CVE-2020-2701): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Removing x86 from CC. This stabilisation bug has been made obsolete by bug 717626. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Unable to check for sanity:
> no match for package: app-emulation/virtualbox-5.2.36
This issue was resolved and addressed in GLSA 202101-09 at https://security.gentoo.org/glsa/202101-09 by GLSA coordinator Aaron Bauman (b-man). |