[Bug 1517161] Re: virtualbox SRU for CVE

Mathew Hodson mathew.hodson at gmail.com
Tue Nov 17 18:30:38 UTC 2015 

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1517161

Title:
  virtualbox SRU for CVE

Status in virtualbox package in Ubuntu:
  New

Bug description:
  SRU updates for Virtualbox,
  - fix all CVEs around the package (upstream refuses to give targeted fixes) cfr: debian #794466
  - ship kernel modules compatible with latest kernels (fixing e.g. 
  1457780 1358157 and the hundred of duplicates)
  - port the new virtualbox kernel modules features (from Adam Conrad) also to trusty, because now the kernel module is also provided by the kernel itself

  
  SRU:
  1) wily: update SRU to xenial  5.0.10-dfsg-2 (sync ongoing)

  No regression potential, just security fixes and bug fixes
  (upstream takes care of auto testing, and I usually test deeply virtualbox prior to release)

  2) vivid: is this needed? let me know, I can update it without issues
  (same update as the trusty one)

  3) trusty:
  update from 4.3.10 to 4.3.34

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  no notable differences a part of the changelog.

  testing has been fine, except for the part that I couldn't install the current virtualbox-dkms because of the build failures
  (now trusty images comes with shipped 3.19 that makes the dkms build fail).

  so, directly installed the 4.3.34 and everything was fine.

  4) precise:
  update from 4.1.12 to 4.1.44

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  differences between debian for precise:
  changelog, version (debian has 4.1.42 ubuntu has 4.1.44, but this is a really minor difference)
  2 patches:
  - fix a build failure because LIBVNCSERVER_IPv6 is defined but there is no ipv6port exposed (this shouldn't be a problem to comment that part)

  - fix a runtime dkms build failure, because newer kernel such as
  trusty-lts has CONFIG_X86_SMAP defined, and virtualbox 4.1.x is known
  to *not* work with it.

  this is a "*regression*" in the kernel and virtualbox doesn't work also in 4.1.12 anymore with it
  (it affects broadwell/skylake cpus only).

  the real fix would be to upgrade to virtualbox 4.2, but since nobody
  so far complained about this problem, I guess we can avoid this major
  upgrade

  testing has been successful, I installed trusty on a vm, upgraded
  virtualbox to 4.1.44, and trusty was still starting ok, even with the
  old precise kernel, and the lts-trusty one.

  packages uploaded here
  https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/+packages

  
  I'm not happy with this request, but well, I monitor for bugs, and I guess I'll continue doing my best in keeping virtualbox working correctly (I couldn't before because I was forced by the MRE updates impossibility)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161/+subscriptions

More information about the Ubuntu-sponsors mailing list