SUSE 5183 Published by

A virtualbox security update has been released for openSUSE Leap 15.3.



openSUSE-SU-2021:1092-1: important: Security update for virtualbox


openSUSE Security Update: Security update for virtualbox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1092-1
Rating: important
References: #1188045 #1188105 #1188535 #1188536 #1188537
#1188538
Cross-References: CVE-2021-2409 CVE-2021-2442 CVE-2021-2443
CVE-2021-2454
CVSS scores:
CVE-2021-2409 (NVD) : 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-2442 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
CVE-2021-2443 (NVD) : 7.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H
CVE-2021-2454 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________

An update that solves four vulnerabilities and has two
fixes is now available.

Description:

This update for virtualbox fixes the following issues:

Version bump to 6.1.24 (released July 20 2021 by Oracle)

This is a maintenance release. The following items were fixed and/or
added:

- Storage: Fixed starting a VM if a device is attached to a VirtIO SCSI
port higher than 30 (bug #20213)
- Storage: Improvement to DVD medium change signaling
- Serial: Fixed a the guest missing interrupts under certain circumstances
(6.0 regression, bug #18668)
- Audio: Multiple fixes and enhancements
- Network: Fixed connectivity issue with virtio-net after resuming VM with
disconnected link
- Network: Fixed UDP GSO fragmentation issue with missing 8 bytes of
payload at the end of the first fragment
- API: Fixed VM configuration for recent Windows Server versions
- Extension Pack: Fixed issues with USB webcam pass-through on Linux
- Host and guest driver: Fix small memory leak (bug #20280)
- Linux host and guest: Support kernel version 5.13 (bug #20456)
- Linux host and guest: Introduce support for SUSE SLES/SLED 15 SP3
kernels (bug #20396)
- Linux host: Installer will not attempt to build kernel modules if system
already has them installed and modules versions match current version
- Guest Additions: Fixed crash on using shared clipboard (bug #19165)
- Linux Guest Additions: Introduce support for Ubuntu specific kernels
(bug #20325)
- Solaris guest: Increased default memory and disk sizes
- EFI: Support network booting with the E1000 network controller emulation
- EFI: Stability improvements (bug #20090)

- This release fixes boo#1188535, VUL-0: CVE-2021-2454, boo#1188536,
VUL-0: CVE-2021-2409, boo#1188537, VUL-0: CVE-2021-2442, and
boo#1188538, VUL-0: CVE-2021-2443.

- Add vboximg-mount to packaging. boo#1188045.
- Fix CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT problem with kernel 5.13 as
shown in boo#1188105.
- Disable the build of kmp vboxvideo, at least temporarily.
- Correct WantedBy entry in vboxadd-service
- Require which for /usr/lib/virtualbox/vboxadd-service
- fix license packaging, small cruft cleanup (avoid owning directories
provided by filesystem rpm)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-2021-1092=1


Package List:

- openSUSE Leap 15.3 (x86_64):

python3-virtualbox-6.1.24-lp153.2.6.1
python3-virtualbox-debuginfo-6.1.24-lp153.2.6.1
virtualbox-6.1.24-lp153.2.6.1
virtualbox-debuginfo-6.1.24-lp153.2.6.1
virtualbox-debugsource-6.1.24-lp153.2.6.1
virtualbox-devel-6.1.24-lp153.2.6.1
virtualbox-guest-tools-6.1.24-lp153.2.6.1
virtualbox-guest-tools-debuginfo-6.1.24-lp153.2.6.1
virtualbox-guest-x11-6.1.24-lp153.2.6.1
virtualbox-guest-x11-debuginfo-6.1.24-lp153.2.6.1
virtualbox-kmp-debugsource-6.1.24-lp153.2.6.1
virtualbox-kmp-default-6.1.24_k5.3.18_59.16-lp153.2.6.1
virtualbox-kmp-default-debuginfo-6.1.24_k5.3.18_59.16-lp153.2.6.1
virtualbox-kmp-preempt-6.1.24_k5.3.18_59.16-lp153.2.6.1
virtualbox-kmp-preempt-debuginfo-6.1.24_k5.3.18_59.16-lp153.2.6.1
virtualbox-qt-6.1.24-lp153.2.6.1
virtualbox-qt-debuginfo-6.1.24-lp153.2.6.1
virtualbox-vnc-6.1.24-lp153.2.6.1
virtualbox-websrv-6.1.24-lp153.2.6.1
virtualbox-websrv-debuginfo-6.1.24-lp153.2.6.1

- openSUSE Leap 15.3 (noarch):

virtualbox-guest-desktop-icons-6.1.24-lp153.2.6.1
virtualbox-guest-source-6.1.24-lp153.2.6.1
virtualbox-host-source-6.1.24-lp153.2.6.1

References:

  https://www.suse.com/security/cve/CVE-2021-2409.html
  https://www.suse.com/security/cve/CVE-2021-2442.html
  https://www.suse.com/security/cve/CVE-2021-2443.html
  https://www.suse.com/security/cve/CVE-2021-2454.html
  https://bugzilla.suse.com/1188045
  https://bugzilla.suse.com/1188105
  https://bugzilla.suse.com/1188535
  https://bugzilla.suse.com/1188536
  https://bugzilla.suse.com/1188537
  https://bugzilla.suse.com/1188538