Security update for virtualbox SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0229-1 Final 1 1 2015-01-30T15:11:51Z current 2015-01-30T15:11:51Z 2015-01-30T15:11:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for virtualbox virtualbox was updated to version 4.2.28 to fix eight security issues. These security issues were fixed: - OpenSSL fixes for VirtualBox (CVE-2014-0224) - Unspecified vulnerability in the Oracle VM VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418 (CVE-2015-0377, bnc#914447). - Unspecified vulnerability in the Oracle VM VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427 (CVE-2014-6595, bnc#914447). - Unspecified vulnerability in the Oracle VM VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427 (CVE-2014-6588, bnc#914447). - Unspecified vulnerability in the Oracle VM VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427 (CVE-2014-6589, bnc#914447). - Unspecified vulnerability in the Oracle VM VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427 (CVE-2014-6590, bnc#914447). - Unspecified vulnerability in the Oracle VM VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595 (CVE-2015-0427, bnc#914447). - Unspecified vulnerability in the Oracle VM VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377 (CVE-2015-0418, bnc#914447). For the full changelog please read https://www.virtualbox.org/wiki/Changelog-4.2 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html E-Mail link for openSUSE-SU-2015:0229-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings python-virtualbox-4.2.28-2.25.1 virtualbox-4.2.28-2.25.1 virtualbox-devel-4.2.28-2.25.1 virtualbox-guest-kmp-default-4.2.28_k3.11.10_25-2.25.1 virtualbox-guest-kmp-desktop-4.2.28_k3.11.10_25-2.25.1 virtualbox-guest-kmp-pae-4.2.28_k3.11.10_25-2.25.1 virtualbox-guest-tools-4.2.28-2.25.1 virtualbox-guest-x11-4.2.28-2.25.1 virtualbox-host-kmp-default-4.2.28_k3.11.10_25-2.25.1 virtualbox-host-kmp-desktop-4.2.28_k3.11.10_25-2.25.1 virtualbox-host-kmp-pae-4.2.28_k3.11.10_25-2.25.1 virtualbox-qt-4.2.28-2.25.1 virtualbox-websrv-4.2.28-2.25.1 OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. CVE-2014-0224 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2014-0224.html CVE-2014-0224 https://bugzilla.suse.com/1146657 SUSE Bug 1146657 https://bugzilla.suse.com/880891 SUSE Bug 880891 https://bugzilla.suse.com/883126 SUSE Bug 883126 https://bugzilla.suse.com/885777 SUSE Bug 885777 https://bugzilla.suse.com/892403 SUSE Bug 892403 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/905018 SUSE Bug 905018 https://bugzilla.suse.com/905106 SUSE Bug 905106 https://bugzilla.suse.com/914447 SUSE Bug 914447 https://bugzilla.suse.com/915913 SUSE Bug 915913 https://bugzilla.suse.com/916239 SUSE Bug 916239 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. CVE-2014-6588 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2014-6588.html CVE-2014-6588 https://bugzilla.suse.com/914447 SUSE Bug 914447 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. CVE-2014-6589 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2014-6589.html CVE-2014-6589 https://bugzilla.suse.com/914447 SUSE Bug 914447 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427. CVE-2014-6590 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2014-6590.html CVE-2014-6590 https://bugzilla.suse.com/914447 SUSE Bug 914447 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427. CVE-2014-6595 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2014-6595.html CVE-2014-6595 https://bugzilla.suse.com/914447 SUSE Bug 914447 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418. CVE-2015-0377 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2015-0377.html CVE-2015-0377 https://bugzilla.suse.com/914447 SUSE Bug 914447 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377. CVE-2015-0418 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2015-0418.html CVE-2015-0418 https://bugzilla.suse.com/914447 SUSE Bug 914447 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595. CVE-2015-0427 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-02/msg00030.html https://www.suse.com/security/cve/CVE-2015-0427.html CVE-2015-0427 https://bugzilla.suse.com/914447 SUSE Bug 914447