openSUSE Security Update : virtualbox (openSUSE-2016-1087)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Virtualbox was updated to 5.0.26 to fix the following issues :

This update fixes various security issues.

- CVE-2016-3612: An unspecified vulnerability in the
Oracle VM VirtualBox component in Oracle Virtualization
VirtualBox before 5.0.22 allowed remote attackers to
affect confidentiality via vectors related to Core.
(boo#990369).

- CVE-2016-3597: Unspecified vulnerability in the Oracle
VM VirtualBox component in Oracle Virtualization
VirtualBox before 5.0.26 allows local users to affect
availability via vectors related to Core. (bsc#990370)

- Update the host <-> guest KMP conflict dependencies to
no longer refer to the old name (boo#983927).

This is a maintenance release. The following items were fixed and/or
added :

- VMM: fixed a bug in the task switching code (ticket
#15571)

- GUI: allow to overwrite an existing file when saving a
log file (bug #8034)

- GUI: fixed screenshot if the VM is started in separate
mode

- Audio: improved recording from USB headsets and other
sources which might need conversion of captured data

- Audio: fixed regression of not having any audio
available on Solaris hosts

- VGA: fixed an occasional hang when running Windows
guests with 3D enabled

- Storage: fixed a possible endless reconnect loop for the
iSCSI backend if connecting to the target succeeds but
further I/O requests cause a disconnect

- Storage: fixed a bug when resizing certain VDI images
which resulted in using the whole disk on the host (bug
#15582)

- EFI: fixed access to devices attached to SATA port 2 and
higher (bug #15607)

- API: fixed video recording with VBoxHeadless (bug
#15443)

- API: don't crash if there is no graphics controller
configured (bug #15628)

- VBoxSVC: fixed several memory leaks when handling .dmg
images

Version bump to 5.0.24 (released 2016-06-28 by Oracle) This is a
maintenance release. The following items were fixed and/or added :

- VMM: reverted to the old I/O-APIC code for now to fix
certain regressions with 5.0.22 (bug #15529). This means
that the networking performance with certain guests will
drop to the 5.0.20 level (bug #15295). One workaround is
to disable GRO for Linux guests.

- Main: when taking a screenshot, don't save garbage for
blanked screens

- NAT: correctly parse resolv.conf file with multiple
separators (5.0.22 regression)

- Storage: fixed a possible corruption of stream optimized
VMDK images from VMware when opened in read/write mode
for the first time

- Audio: imlemented dynamic re-attaching of input/output
devices on Mac OS X hosts

- ACPI: notify the guest when the battery / AC state
changes instead of relying on guest polling

- Linux hosts: fixed VERR_VMM_SET_JMP_ABORTED_RESUME Guru
Meditations on hosts with Linux 4.6 or later (bug
#15439)

Version bump to 5.0.22 (released 2016-06-16 by Oracle) This is a
maintenance release. The following items were fixed and/or added :

- VMM: fixes for certain Intel Atom hosts (bug #14915)

- VMM: properly restore the complete FPU state for 32-bit
guests on 64-bit hosts on Intel Sandy Bridge and Ivy
Bridge CPUs

- VMM: new I/O-APIC implementation fixing several bugs and
improving the performance under certain conditions (bug
#15295 and others)

- VMM: fixed a potential Linux guest panic on AMD hosts

- VMM: fixed a potential hang with 32-bit EFI guests on
Intel CPUs (VT-x without unrestricted guest execution)

- GUI: don't allow to start subsequent separate VM
instances

- GUI: raised upper limit for video capture screen
resolution (bug #15432)

- GUI: warn if the VM has less than 128MB VRAM configured
and 3D enabled

- Main: when monitoring DNS configuration changes on
Windows hosts avoid false positives from competing DHCP
renewals. This should fix NAT link flaps when host has
multiple DHCP configured interfaces, in particular when
the host uses OpnVPN.

- Main: properly display an error message if the VRDE
server cannot be enabled at runtime, for example because
another service is using the same port

- NAT: Initialize guest address guess for wildcard
port-forwarding rules with default guest address (bug
#15412)

- VGA: fix for a problem which made certain legacy guests
crash under certain conditions (bug #14811)

- OVF: fixed import problems for some appliances using an
AHCI controller created by 3rd party applications

- SDK: reduced memory usage in the webservice Java
bindings

- Windows Additions: fixes to retain the guest display
layout when resizing or disabling the guest monitors

- Linux hosts: EL 6.8 fix (bug #15411)

- Linux hosts: Linux 4.7 fix (bug #15459)

- Linux Additions: Linux 4.7 fixes (bug #15444)

- Linux Additions: fix for certain 32-bit guests (5.0.18
regression; bug #15320)

- Linux Additions: fixed mouse pointer offset (5.0.18
regression; bug #15324)

- Linux Additions: made old X.Org releases work again with
kernels 3.11 and later (5.0.18 regression; bug #15319)

- Linux Additions: fixed X.Org crash after hard guest
reset (5.0.18 regression; bug #15354)

- Linux Additions: don't stop the X11 setup if loading the
shared folders module fails (5.0.18 regression)

- Linux Additions: don't complain if the Drag and Drop
service is not available on the host

- Solaris Additions: added support for X.org 1.18

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=983927
https://bugzilla.opensuse.org/show_bug.cgi?id=990369
https://bugzilla.opensuse.org/show_bug.cgi?id=990370

Solution :

Update the affected virtualbox packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Family: SuSE Local Security Checks

Nessus Plugin ID: 93596 ()

Bugtraq ID:

CVE ID: CVE-2016-3597
CVE-2016-3612

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now