Ubuntu
virtualbox package

[SRU] Virtualbox in trusty 14.04 is an old version and has many security vulnerabilities

Bug #1812671 reported by Mike Salvatore
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
Fix Released
Undecided
Gianfranco Costamagna
Trusty
Fix Released
Undecided
Gianfranco Costamagna
virtualbox-guest-additions-iso (Ubuntu)
Fix Released
Undecided
Gianfranco Costamagna
Trusty
Fix Released
Undecided
Gianfranco Costamagna
virtualbox-lts-xenial (Ubuntu)
Trusty
Fix Released
Undecided
Gianfranco Costamagna

Bug Description

[Impact]
The Virtualbox version in trusty 14.04 is 4.3.36. It is affected by up to 110 vulnerabilities. 23 can be resolved if virtualbox can be upgraded to 5.0.40. An additional 37 can be resolved if virtualbox can be upgraded to 5.1.38.

[Test Case]
* Install Vbox, and play with it

[Regression Potential]
* low, never had regressions in stable updates.
* upstream is really careful in his testing before release

See original description

CVE References

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Mike, I uploaded them on my ppa [1] and unapproved queue.

I think 5* series is out of scope here, but 4.3.40 is a minor jump I can do.

We can consider a 5* jump but this requires probably a kbuild backport and a lot of more testing, since the diff will be considerably huge.

[1] https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/virtualbox-ppa

we can SRU this one now, and wait for the new one in the future?

Changed in virtualbox-guest-additions-iso (Ubuntu):
status: New → In Progress
Changed in virtualbox (Ubuntu):
status: New → In Progress
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-guest-additions-iso (Ubuntu):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
summary: - Virtualbox in trusty 14.04 is an old version and has many security
+ [SRU] Virtualbox in trusty 14.04 is an old version and has many security
vulnerabilities
description: updated
Revision history for this message
Mark Foster (fostermarkd) wrote :

Given that 5.2.24+ is needed to solve CVE-2019-2511 and Trusty is ~3 months until EOL is it even worth doing?

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

I suspect it is, specially because lots of people won't probably upgrade right after it becomes EOL... Fixing something is better than nothing (this is a safe update)

Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-lts-xenial (Ubuntu):
status: New → Fix Released
Changed in virtualbox (Ubuntu):
status: In Progress → Fix Released
Changed in virtualbox-guest-additions-iso (Ubuntu):
status: In Progress → Fix Released
Changed in virtualbox (Ubuntu Trusty):
status: New → In Progress
Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: New → In Progress
Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: New → In Progress
Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox (Ubuntu Trusty):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-lts-xenial (Ubuntu):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-lts-xenial (Ubuntu Trusty):
assignee: nobody → Gianfranco Costamagna (costamagnagianfranco)
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Mike, or anyone else affected,

Accepted virtualbox-guest-additions-iso into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-guest-additions-iso/4.3.40-0ubuntu1.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Mike, or anyone else affected,

Accepted virtualbox into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox/4.3.40-dfsg-0ubuntu14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

everything seems ok!
dpkg -l |grep virtual
ii virtualbox 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - base binaries
ii virtualbox-dkms 4.3.40-dfsg-0ubuntu14.04.1 all x86 virtualization solution - kernel module sources for dkms
ii virtualbox-guest-dkms 4.3.40-dfsg-0ubuntu14.04.1 all x86 virtualization solution - guest addition module source for dkms
ii virtualbox-guest-utils 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - non-X11 guest utilities
ii virtualbox-guest-x11 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - X11 guest utilities

and also the x11-lts-xenial is installable correctly!
rc virtualbox 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - base binaries
ii virtualbox-dkms 4.3.40-dfsg-0ubuntu14.04.1 all x86 virtualization solution - kernel module sources for dkms
rc virtualbox-guest-utils 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - non-X11 guest utilities
ii virtualbox-guest-utils-lts-xenial 4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1 amd64 x86 virtualization solution - non-X11 guest utilities
rc virtualbox-guest-x11 4.3.40-dfsg-0ubuntu14.04.1 amd64 x86 virtualization solution - X11 guest utilities
ii virtualbox-guest-x11-lts-xenial 4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1 amd64 x86 virtualization solution - X11 guest utilities

tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Revision history for this message
Mathew Hodson (mhodson) wrote :

Accepted virtualbox-lts-xenial into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-lts-xenial/4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: In Progress → Fix Committed
no longer affects: virtualbox-lts-xenial (Ubuntu)
tags: added: verification-needed verification-needed-trusty
removed: verification-done verification-done-trusty
tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-lts-xenial - 4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1

---------------
virtualbox-lts-xenial (4.3.40-dfsg-0ubuntu1.14.04.1~14.04.1) trusty; urgency=medium

  * Use lts-xenial stack. Build only guest additions (LP: #1424769).

 -- Gianfranco Costamagna <email address hidden> Fri, 01 Mar 2019 15:13:03 +0100

Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for virtualbox has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-guest-additions-iso - 4.3.40-0ubuntu1.14.04.1

---------------
virtualbox-guest-additions-iso (4.3.40-0ubuntu1.14.04.1) trusty; urgency=medium

  * New upstream release
    (LP: #1812671)

 -- Gianfranco Costamagna <email address hidden> Mon, 21 Jan 2019 14:33:17 +0100

Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.3.40-dfsg-0ubuntu14.04.1

---------------
virtualbox (4.3.40-dfsg-0ubuntu14.04.1) trusty; urgency=medium

  * New upstream release (LP: #1812671)

 -- Gianfranco Costamagna <email address hidden> Mon, 21 Jan 2019 14:33:14 +0100

Changed in virtualbox (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.