[Bug 1517161] Re: virtualbox SRU for CVE
LocutusOfBorg
costamagnagianfranco at yahoo.it
Thu Nov 19 10:20:44 UTC 2015
>> I'm not happy with this request, but well, I monitor for bugs, and I
>> guess I'll continue doing my best in keeping virtualbox working
>> correctly (I couldn't before because I was forced by the MRE updates
>> impossibility)
>
>Is there anything that could be done to help?
updating virtualbox will make ~100 bugs disappear from the bug tracker.
the code changes are huge, but oracle I admit does a really good job in automatic testing and in keeping virtualbox safe from regressions.
(and they are quick in finding/fixing bugs if something is found).
So I hope this update will make things better and better for HWE kernels
users, and won't make any bug appear (as it did with debian, everything
was smooth on all the currently supported releases, except for a
circular dependency in the dkms/virtualbox binaries, that has been fixed
in a later DSA, and wasn't exactly a regression)
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1517161
Title:
virtualbox SRU for CVE
Status in virtualbox package in Ubuntu:
New
Bug description:
SRU updates for Virtualbox,
- fix all CVEs around the package (upstream refuses to give targeted fixes) cfr: debian #794466
- ship kernel modules compatible with latest kernels (fixing e.g.
1457780 1358157 and the hundred of duplicates)
- port the new virtualbox kernel modules features (from Adam Conrad) also to trusty, because now the kernel module is also provided by the kernel itself
SRU:
1) wily: update SRU to xenial 5.0.10-dfsg-2 (sync ongoing)
No regression potential, just security fixes and bug fixes
(upstream takes care of auto testing, and I usually test deeply virtualbox prior to release)
2) vivid: is this needed? let me know, I can update it without issues
(same update as the trusty one)
3) trusty:
update from 4.3.10 to 4.3.34
I started from the Debian version that landed in -security some time
ago, and I rebased with the ubuntu changelogs.
no notable differences a part of the changelog.
testing has been fine, except for the part that I couldn't install the current virtualbox-dkms because of the build failures
(now trusty images comes with shipped 3.19 that makes the dkms build fail).
so, directly installed the 4.3.34 and everything was fine.
4) precise:
update from 4.1.12 to 4.1.44
I started from the Debian version that landed in -security some time
ago, and I rebased with the ubuntu changelogs.
differences between debian for precise:
changelog, version (debian has 4.1.42 ubuntu has 4.1.44, but this is a really minor difference)
2 patches:
- fix a build failure because LIBVNCSERVER_IPv6 is defined but there is no ipv6port exposed (this shouldn't be a problem to comment that part)
- fix a runtime dkms build failure, because newer kernel such as
trusty-lts has CONFIG_X86_SMAP defined, and virtualbox 4.1.x is known
to *not* work with it.
this is a "*regression*" in the kernel and virtualbox doesn't work also in 4.1.12 anymore with it
(it affects broadwell/skylake cpus only).
the real fix would be to upgrade to virtualbox 4.2, but since nobody
so far complained about this problem, I guess we can avoid this major
upgrade
testing has been successful, I installed trusty on a vm, upgraded
virtualbox to 4.1.44, and trusty was still starting ok, even with the
old precise kernel, and the lts-trusty one.
packages uploaded here
https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/+packages
I'm not happy with this request, but well, I monitor for bugs, and I guess I'll continue doing my best in keeping virtualbox working correctly (I couldn't before because I was forced by the MRE updates impossibility)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161/+subscriptions
More information about the Ubuntu-sponsors
mailing list