Updated virtualbox packages fix security vulnerabilities
Publication date: 03 Nov 2018Modification date: 03 Nov 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-0732 , CVE-2018-2909 , CVE-2018-3287 , CVE-2018-3288 , CVE-2018-3289 , CVE-2018-3290 , CVE-2018-3291 , CVE-2018-3292 , CVE-2018-3293 , CVE-2018-3294 , CVE-2018-3295 , CVE-2018-3296 , CVE-2018-3297 , CVE-2018-3298
Description
This update provides virtualbox 5.2.20 and fixes the following security
vulnerabilities:
During key agreement in a TLS handshake using a DH(E) based ciphersuite
a malicious server can send a very large prime value to the client. This
will cause the client to spend an unreasonably long period of time
generating a key for this prime resulting in a hang until the client has
finished. This could be exploited in a Denial Of Service attack
(CVE-2018-0732).
Vulnerability in VirtualBox contains an easily exploitable vulnerability
that allows unauthenticated attacker with logon to the infrastructure
where VirtualBox executes to compromise VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288,
CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293,
CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).
Vulnerability in VirtualBox contains an easily exploitable vulnerability
that allows unauthenticated attacker with llow privileged attacker with
network access via VRDP to compromise VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of VirtualBox (CVE-2018-3294).
For other fixes in this update, see the referenced changelog.
References
- https://bugs.mageia.org/show_bug.cgi?id=23719
- https://www.virtualbox.org/wiki/Changelog#20
- https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2909
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3287
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3288
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3289
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3290
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3291
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3292
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3294
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3295
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3296
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3297
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3298
SRPMS
6/core
- virtualbox-5.2.20-1.mga6
- kmod-virtualbox-5.2.20-1.mga6
- kmod-vboxadditions-5.2.20-1.mga6