openSUSE Security Update : virtualbox (openSUSE-2016-1366)

critical Nessus Plugin ID 95378

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for virtualbox fixes the following issues :

- Fixes CVE-2016-5501,CVE-2016-5538,CVE-2016-5605,CVE-2016-5608, CVE-2016-5610,CVE-2016-5611,CVE-2016-5613 (bsc#1005621)

- Add patch to limit number of simultaneous make jobs.

- Version bump to 5.1.8 (released 2016-10-18 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: fixed keyboard shortcut handling regressions (Mac OS X hosts only; bugs #15937 and #15938) GUI: fixed keyboard handling regression for separate UI (Windows hosts only; bugs #15928) NAT: don't exceed the maximum number of 'search' suffixes. Patch from bug #15948. NAT: fixed parsing of port-forwarding rules with a name which contains a slash (bug #16002) NAT Network: when the host has only loopback nameserver that cannot be mapped to the guests (e.g. dnsmasq running on 127.0.1.1), make DHCP supply NAT Network DNS proxy as nameserver. Bridged Network: prevent flooding syslog with packet allocation error messages (bug #15569) Audio: now using Audio Queues on Mac OS X hosts Audio: fixed recording with the PulseAudio backend (5.1 regression) Audio: various bugfixes Snapshots: fixed regression in 5.1.4 for deleting snapshots with several disks (bug #15831) Snapshots: crash fix and better error reporting when snapshot deletion failed Storage: some fixes for the NVMe emulation with Windows guests API:
fixed initialization of SAS controllers (bug #15972) Build system: make it possible to build VBox on systems which default to Python 3 Windows Additions / VGA: if the guest's power management turns a virtual screen off, blank the corresponding VM window rather than hide the window Windows Additions: fixed a generic bug which could lead to freezing shared folders (bug #15662) Linux hosts / guests: fix for kernels with CONFIG_CPUMASK_OFFSTACK set (bug #16020) Linux Additions: don't require all virtual consoles be in text mode. This should fix cases when the guest is booted with a graphical boot screen (bug #15683) Linux Additions: added depmod overrides for the vboxguest and vboxsf kernel modules to fix conflicts with modules shipped by certain Linux distributions X11 Additions:
disable 3D on the guest if the host does not provide enough capabilities (bug #15860)

- Builds keep running out of memory when building the web server part of the package. To help the memory pressure, I have forced make to run with '-j2', rather than use the number of processors. Such a change will slow the build, but will result in a higher rate of success.

- Increase memory allowed in build to 10000 MB.

- Remove file 'fix_removal_of_DEFINE_PCI_DEVICE_TABLE' - fixed upstream.

- Version bump to 5.1.6 (released 2016-09-12 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: fixed issue with opening '.vbox' files and it's aliases GUI: keyboard grabbing fixes (bugs #15771 and #15745) GUI: fix for passing through Ctrl + mouse-click (Mac OS X hosts only; bug #15714) GUI: fixed automatic deletion of extension pack files (bugs #11352 and #14742) USB: fixed showing unknown device instead of the manufacturer or product description under certain circumstances (5.1.0 regression; bug #15764) XHCI: another fix for a hanging guest under certain conditions as result of the fix for bug #15747, this time for Windows 7 guests Serial: fixed high CPU usage with certain USB to serial converters on Linux hosts (bug #7796) Storage: fixed attaching stream optimized VMDK images (bug #14764) Storage: reject image variants which are unsupported by the backend (bug #7227) Storage: fixed loading saved states created with VirtualBox 5.0.10 and older when using a SCSI controller (bug #15865) Storage: fixed broken NVMe emulation if the host I/O cache setting is enabled Storage: fixed using multiple NVMe controllers if ICH9 is used NVMe: fixed a crash during reset which could happen under certain circumstances Audio: fixed microphone input (5.1.2 regression; bugs #14386 and #15802) Audio: fixed crashes under certain conditions (5.1.0 regression; bug #15887 and others) Audio: fixed recording with the ALSA backend (5.1 regression) Audio: fixed stream access mode with OSS backend (5.1 regression, thanks to Jung-uk Kim) E1000: do also return masked bits when reading the ICR register, this fixes booting from iPXE (5.1.2 regression; bug #15846) BIOS: fixed 4bpp scanline calculation (bug #15787) API: relax the check for the version attribute in OVF/OVA appliances (bug #15856) Windows hosts: fixed crashes when terminating the VM selector or other VBox COM clients (bug #15726 and others) Linux Installer: fixed path to the documentation in .rpm packages (5.1.0 regression) Linux Installer:
fixed the vboxdrv.sh script to prevent an SELinux complaint (bug #15816) Linux hosts: don't use 32-bit legacy capabilities Linux Additions: Linux 4.8 fix for the kernel display driver (bugs #15890 and #15896) Linux Additions: don't load the kernel modules provided by the Linux distribution but load the kernel modules from the official Guest Additions package instead (bug #15324) Linux Additions: fix dynamic resizing problems in recent Linux guests (bug #15875) User Manual: fixed error in the VBoxManage chapter for the getextradata enumerate example (bug #15862)

- Add file 'fix_removal_of_DEFINE_PCI_DEVICE_TABLE' to compile on kernel 4.8.

Solution

Update the affected virtualbox packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1005621

Plugin Details

Severity: Critical

ID: 95378

File Name: openSUSE-2016-1366.nasl

Version: 3.3

Type: local

Agent: unix

Published: 11/29/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:virtualbox-websrv, p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo, cpe:/o:novell:opensuse:42.2, p-cpe:/a:novell:opensuse:python-virtualbox, p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo, p-cpe:/a:novell:opensuse:virtualbox, p-cpe:/a:novell:opensuse:virtualbox-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-debugsource, p-cpe:/a:novell:opensuse:virtualbox-devel, p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-tools, p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-x11, p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-source, p-cpe:/a:novell:opensuse:virtualbox-qt, p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 11/28/2016

Reference Information

CVE: CVE-2016-5501, CVE-2016-5538, CVE-2016-5605, CVE-2016-5608, CVE-2016-5610, CVE-2016-5611, CVE-2016-5613