[vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Frank Mehnert frank.mehnert at oracle.com
Wed Jan 21 13:51:31 UTC 2015


On Wednesday 21 January 2015 18:55:40 Ritesh Raj Sarraf wrote:
> The recently declared CVEs for VBox have fixes mentioned only in the
> 4.3.20 release.
> Debian Jessie is frozen, and for it, we have targeted the 4.3.18
> release. Do you have the broken out patches that fix the vulnerabilities ?

the most CVEs from that CPU are related to the experimental VMSVGA
implementation. This code is not documented and not announced and
regular users will not use it. Therefore I suggest you to just disable
that code by setting


This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
lengthy, therefore disabling this code is IMO the best solution.

CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2014-0224: this is related to OpenSSL and therefore not a problem for
               Linux distributions as you compile your code against the
               distro-specific OpenSSL implementation.

Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher

More information about the vbox-dev mailing list