openSUSE Security Update : virtualbox (openSUSE-2016-1087)

medium Nessus Plugin ID 93596

Synopsis

The remote openSUSE host is missing a security update.

Description

Virtualbox was updated to 5.0.26 to fix the following issues :

This update fixes various security issues.

- CVE-2016-3612: An unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.22 allowed remote attackers to affect confidentiality via vectors related to Core.
(boo#990369).

- CVE-2016-3597: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.26 allows local users to affect availability via vectors related to Core. (bsc#990370)

- Update the host <-> guest KMP conflict dependencies to no longer refer to the old name (boo#983927).

This is a maintenance release. The following items were fixed and/or added :

- VMM: fixed a bug in the task switching code (ticket #15571)

- GUI: allow to overwrite an existing file when saving a log file (bug #8034)

- GUI: fixed screenshot if the VM is started in separate mode

- Audio: improved recording from USB headsets and other sources which might need conversion of captured data

- Audio: fixed regression of not having any audio available on Solaris hosts

- VGA: fixed an occasional hang when running Windows guests with 3D enabled

- Storage: fixed a possible endless reconnect loop for the iSCSI backend if connecting to the target succeeds but further I/O requests cause a disconnect

- Storage: fixed a bug when resizing certain VDI images which resulted in using the whole disk on the host (bug #15582)

- EFI: fixed access to devices attached to SATA port 2 and higher (bug #15607)

- API: fixed video recording with VBoxHeadless (bug #15443)

- API: don't crash if there is no graphics controller configured (bug #15628)

- VBoxSVC: fixed several memory leaks when handling .dmg images

Version bump to 5.0.24 (released 2016-06-28 by Oracle) This is a maintenance release. The following items were fixed and/or added :

- VMM: reverted to the old I/O-APIC code for now to fix certain regressions with 5.0.22 (bug #15529). This means that the networking performance with certain guests will drop to the 5.0.20 level (bug #15295). One workaround is to disable GRO for Linux guests.

- Main: when taking a screenshot, don't save garbage for blanked screens

- NAT: correctly parse resolv.conf file with multiple separators (5.0.22 regression)

- Storage: fixed a possible corruption of stream optimized VMDK images from VMware when opened in read/write mode for the first time

- Audio: imlemented dynamic re-attaching of input/output devices on Mac OS X hosts

- ACPI: notify the guest when the battery / AC state changes instead of relying on guest polling

- Linux hosts: fixed VERR_VMM_SET_JMP_ABORTED_RESUME Guru Meditations on hosts with Linux 4.6 or later (bug #15439)

Version bump to 5.0.22 (released 2016-06-16 by Oracle) This is a maintenance release. The following items were fixed and/or added :

- VMM: fixes for certain Intel Atom hosts (bug #14915)

- VMM: properly restore the complete FPU state for 32-bit guests on 64-bit hosts on Intel Sandy Bridge and Ivy Bridge CPUs

- VMM: new I/O-APIC implementation fixing several bugs and improving the performance under certain conditions (bug #15295 and others)

- VMM: fixed a potential Linux guest panic on AMD hosts

- VMM: fixed a potential hang with 32-bit EFI guests on Intel CPUs (VT-x without unrestricted guest execution)

- GUI: don't allow to start subsequent separate VM instances

- GUI: raised upper limit for video capture screen resolution (bug #15432)

- GUI: warn if the VM has less than 128MB VRAM configured and 3D enabled

- Main: when monitoring DNS configuration changes on Windows hosts avoid false positives from competing DHCP renewals. This should fix NAT link flaps when host has multiple DHCP configured interfaces, in particular when the host uses OpnVPN.

- Main: properly display an error message if the VRDE server cannot be enabled at runtime, for example because another service is using the same port

- NAT: Initialize guest address guess for wildcard port-forwarding rules with default guest address (bug #15412)

- VGA: fix for a problem which made certain legacy guests crash under certain conditions (bug #14811)

- OVF: fixed import problems for some appliances using an AHCI controller created by 3rd party applications

- SDK: reduced memory usage in the webservice Java bindings

- Windows Additions: fixes to retain the guest display layout when resizing or disabling the guest monitors

- Linux hosts: EL 6.8 fix (bug #15411)

- Linux hosts: Linux 4.7 fix (bug #15459)

- Linux Additions: Linux 4.7 fixes (bug #15444)

- Linux Additions: fix for certain 32-bit guests (5.0.18 regression; bug #15320)

- Linux Additions: fixed mouse pointer offset (5.0.18 regression; bug #15324)

- Linux Additions: made old X.Org releases work again with kernels 3.11 and later (5.0.18 regression; bug #15319)

- Linux Additions: fixed X.Org crash after hard guest reset (5.0.18 regression; bug #15354)

- Linux Additions: don't stop the X11 setup if loading the shared folders module fails (5.0.18 regression)

- Linux Additions: don't complain if the Drag and Drop service is not available on the host

- Solaris Additions: added support for X.org 1.18

Solution

Update the affected virtualbox packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=983927

https://bugzilla.opensuse.org/show_bug.cgi?id=990369

https://bugzilla.opensuse.org/show_bug.cgi?id=990370

Plugin Details

Severity: Medium

ID: 93596

File Name: openSUSE-2016-1087.nasl

Version: 2.4

Type: local

Agent: unix

Published: 9/20/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python-virtualbox, p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo, p-cpe:/a:novell:opensuse:virtualbox, p-cpe:/a:novell:opensuse:virtualbox-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-debugsource, p-cpe:/a:novell:opensuse:virtualbox-devel, p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-desktop, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-desktop-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-pae, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-tools, p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-x11, p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-desktop, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-desktop-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-pae, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-source, p-cpe:/a:novell:opensuse:virtualbox-qt, p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-websrv, p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 9/15/2016

Reference Information

CVE: CVE-2016-3597, CVE-2016-3612