[Bug 1517161] Re: virtualbox SRU for CVE

LocutusOfBorg costamagnagianfranco at yahoo.it
Mon Dec 7 08:00:53 UTC 2015 

Amr, my pleasure! Yes, I hope I'll continue updating it now that the SRU
policy has been relaxed.

Please note anyway that you might want to use the newer 5.0 version of
virtualbox, 4.x is only a maintenance release (only bug fixes and CVE
fixes)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1517161

Title:
  virtualbox SRU for CVE

Status in virtualbox package in Ubuntu:
  Fix Released

Bug description:
  SRU updates for Virtualbox,
  - fix all CVEs around the package (upstream refuses to give targeted fixes) cfr: debian #794466
  - ship kernel modules compatible with latest kernels (fixing e.g. 
  1457780 1358157 and the hundred of duplicates)
  - port the new virtualbox kernel modules features (from Adam Conrad) also to trusty, because now the kernel module is also provided by the kernel itself

  
  SRU:
  1) wily: update SRU to xenial  5.0.10-dfsg-2 (sync ongoing)

  No regression potential, just security fixes and bug fixes
  (upstream takes care of auto testing, and I usually test deeply virtualbox prior to release)

  2) vivid: is this needed? let me know, I can update it without issues
  (same update as the trusty one)

  3) trusty:
  update from 4.3.10 to 4.3.34

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  no notable differences a part of the changelog.

  testing has been fine, except for the part that I couldn't install the current virtualbox-dkms because of the build failures
  (now trusty images comes with shipped 3.19 that makes the dkms build fail).

  so, directly installed the 4.3.34 and everything was fine.

  4) precise:
  update from 4.1.12 to 4.1.44

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  differences between debian for precise:
  changelog, version (debian has 4.1.42 ubuntu has 4.1.44, but this is a really minor difference)
  2 patches:
  - fix a build failure because LIBVNCSERVER_IPv6 is defined but there is no ipv6port exposed (this shouldn't be a problem to comment that part)

  - fix a runtime dkms build failure, because newer kernel such as
  trusty-lts has CONFIG_X86_SMAP defined, and virtualbox 4.1.x is known
  to *not* work with it.

  this is a "*regression*" in the kernel and virtualbox doesn't work also in 4.1.12 anymore with it
  (it affects broadwell/skylake cpus only).

  the real fix would be to upgrade to virtualbox 4.2, but since nobody
  so far complained about this problem, I guess we can avoid this major
  upgrade

  testing has been successful, I installed trusty on a vm, upgraded
  virtualbox to 4.1.44, and trusty was still starting ok, even with the
  old precise kernel, and the lts-trusty one.

  packages uploaded here
  https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/+packages

  
  I'm not happy with this request, but well, I monitor for bugs, and I guess I'll continue doing my best in keeping virtualbox working correctly (I couldn't before because I was forced by the MRE updates impossibility)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161/+subscriptions

More information about the Ubuntu-sponsors mailing list