[Bug 1517161] [NEW] virtualbox SRU for CVE

Seth Arnold 1517161 at bugs.launchpad.net
Thu Nov 19 00:33:56 UTC 2015 

On Wed, Nov 18, 2015 at 11:50:04AM -0000, Launchpad Bug Tracker wrote:
> 2) vivid: is this needed? let me know, I can update it without issues
> (same update as the trusty one)

Vivid's lifetime is through January, 2016; if this update is easy for you
to add, please do.

> 3) trusty:
> update from 4.3.10 to 4.3.34
> 
> I started from the Debian version that landed in -security some time
> ago, and I rebased with the ubuntu changelogs.
> 
> no notable differences a part of the changelog.
> 
> testing has been fine, except for the part that I couldn't install the
> current virtualbox-dkms because of the build failures (now trusty images
> comes with shipped 3.19 that makes the dkms build fail).
> 
> so, directly installed the 4.3.34 and everything was fine.

Trusty sounds difficult. There are multiple supported kernels for 14.04 LTS;
3.13 kernel in 14.04.1
3.16 kernel from 14.04.2 (linux-generic-lts-utopic)
3.19 kernel from 14.04.3 (linux-generic-lts-vivid)
4.2 kernel (linux-generic-lts-wily).

All of these are currently supported; when 16.04 LTS is released, I think
then only the original 3.13 kernel and the (probably) 4.4 kernel from
16.04 LTS will be supported.

I think VB hasn't worked for anyone on the HWE kernels; will this update
mean VB will only work on the newest HWE kernels and break for users
still on the original 3.13 kernels?

> I'm not happy with this request, but well, I monitor for bugs, and I
> guess I'll continue doing my best in keeping virtualbox working
> correctly (I couldn't before because I was forced by the MRE updates
> impossibility)

Is there anything that could be done to help?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1517161

Title:
  virtualbox SRU for CVE

Status in virtualbox package in Ubuntu:
  New

Bug description:
  SRU updates for Virtualbox,
  - fix all CVEs around the package (upstream refuses to give targeted fixes) cfr: debian #794466
  - ship kernel modules compatible with latest kernels (fixing e.g. 
  1457780 1358157 and the hundred of duplicates)
  - port the new virtualbox kernel modules features (from Adam Conrad) also to trusty, because now the kernel module is also provided by the kernel itself

  
  SRU:
  1) wily: update SRU to xenial  5.0.10-dfsg-2 (sync ongoing)

  No regression potential, just security fixes and bug fixes
  (upstream takes care of auto testing, and I usually test deeply virtualbox prior to release)

  2) vivid: is this needed? let me know, I can update it without issues
  (same update as the trusty one)

  3) trusty:
  update from 4.3.10 to 4.3.34

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  no notable differences a part of the changelog.

  testing has been fine, except for the part that I couldn't install the current virtualbox-dkms because of the build failures
  (now trusty images comes with shipped 3.19 that makes the dkms build fail).

  so, directly installed the 4.3.34 and everything was fine.

  4) precise:
  update from 4.1.12 to 4.1.44

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  differences between debian for precise:
  changelog, version (debian has 4.1.42 ubuntu has 4.1.44, but this is a really minor difference)
  2 patches:
  - fix a build failure because LIBVNCSERVER_IPv6 is defined but there is no ipv6port exposed (this shouldn't be a problem to comment that part)

  - fix a runtime dkms build failure, because newer kernel such as
  trusty-lts has CONFIG_X86_SMAP defined, and virtualbox 4.1.x is known
  to *not* work with it.

  this is a "*regression*" in the kernel and virtualbox doesn't work also in 4.1.12 anymore with it
  (it affects broadwell/skylake cpus only).

  the real fix would be to upgrade to virtualbox 4.2, but since nobody
  so far complained about this problem, I guess we can avoid this major
  upgrade

  testing has been successful, I installed trusty on a vm, upgraded
  virtualbox to 4.1.44, and trusty was still starting ok, even with the
  old precise kernel, and the lts-trusty one.

  packages uploaded here
  https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/+packages

  
  I'm not happy with this request, but well, I monitor for bugs, and I guess I'll continue doing my best in keeping virtualbox working correctly (I couldn't before because I was forced by the MRE updates impossibility)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161/+subscriptions

More information about the Ubuntu-sponsors mailing list