[Bug 1517161] Re: virtualbox SRU for CVE
Tyler Hicks
tyhicks at canonical.com
Sat Nov 21 01:51:21 UTC 2015
Hello - Big thanks for these updates!
Can you comment on the level of testing performed? There were quite a
few packaging changes so I'd like to hear that they've all been
thoroughly installation and upgrade tested.
I'm going to adjust the versioning of the vivid update to
4.3.34-dfsg-1+deb8u1ubuntu1.15.04.1 and the trusty update to
4.3.34-dfsg-1+deb8u1ubuntu1.14.04.1. This is in line with the versioning
instructions at
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.
While not a blocker for these updates, I'd like to see a bit more
descriptive changelog entries than "Fix control file" in the future. :)
I'll get these building in the security-proposed ppa and then we can
release them early next week. Thanks again!
** Changed in: virtualbox (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1517161
Title:
virtualbox SRU for CVE
Status in virtualbox package in Ubuntu:
Confirmed
Bug description:
SRU updates for Virtualbox,
- fix all CVEs around the package (upstream refuses to give targeted fixes) cfr: debian #794466
- ship kernel modules compatible with latest kernels (fixing e.g.
1457780 1358157 and the hundred of duplicates)
- port the new virtualbox kernel modules features (from Adam Conrad) also to trusty, because now the kernel module is also provided by the kernel itself
SRU:
1) wily: update SRU to xenial 5.0.10-dfsg-2 (sync ongoing)
No regression potential, just security fixes and bug fixes
(upstream takes care of auto testing, and I usually test deeply virtualbox prior to release)
2) vivid: is this needed? let me know, I can update it without issues
(same update as the trusty one)
3) trusty:
update from 4.3.10 to 4.3.34
I started from the Debian version that landed in -security some time
ago, and I rebased with the ubuntu changelogs.
no notable differences a part of the changelog.
testing has been fine, except for the part that I couldn't install the current virtualbox-dkms because of the build failures
(now trusty images comes with shipped 3.19 that makes the dkms build fail).
so, directly installed the 4.3.34 and everything was fine.
4) precise:
update from 4.1.12 to 4.1.44
I started from the Debian version that landed in -security some time
ago, and I rebased with the ubuntu changelogs.
differences between debian for precise:
changelog, version (debian has 4.1.42 ubuntu has 4.1.44, but this is a really minor difference)
2 patches:
- fix a build failure because LIBVNCSERVER_IPv6 is defined but there is no ipv6port exposed (this shouldn't be a problem to comment that part)
- fix a runtime dkms build failure, because newer kernel such as
trusty-lts has CONFIG_X86_SMAP defined, and virtualbox 4.1.x is known
to *not* work with it.
this is a "*regression*" in the kernel and virtualbox doesn't work also in 4.1.12 anymore with it
(it affects broadwell/skylake cpus only).
the real fix would be to upgrade to virtualbox 4.2, but since nobody
so far complained about this problem, I guess we can avoid this major
upgrade
testing has been successful, I installed trusty on a vm, upgraded
virtualbox to 4.1.44, and trusty was still starting ok, even with the
old precise kernel, and the lts-trusty one.
packages uploaded here
https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/+packages
I'm not happy with this request, but well, I monitor for bugs, and I guess I'll continue doing my best in keeping virtualbox working correctly (I couldn't before because I was forced by the MRE updates impossibility)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161/+subscriptions
More information about the Ubuntu-sponsors
mailing list