Ubuntu
virtualbox-ext-pack package

[SRU] Virtualbox 7.0.12 and 6.1.48

  1. Lunar (23.04)
  2. Bug #2017101
Bug #2017101 reported by Gianfranco Costamagna
376
This bug affects 29 people
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
In Progress
Undecided
Unassigned
Jammy
In Progress
Undecided
Unassigned
Lunar
In Progress
Undecided
Unassigned
virtualbox-ext-pack (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
In Progress
Undecided
Unassigned
Jammy
In Progress
Undecided
Unassigned
Lunar
In Progress
Undecided
Unassigned
virtualbox-guest-additions-iso (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
In Progress
Undecided
Unassigned
Jammy
In Progress
Undecided
Unassigned
Lunar
In Progress
Undecided
Unassigned
virtualbox-hwe (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
In Progress
Undecided
Unassigned
Jammy
In Progress
Undecided
Unassigned
Lunar
In Progress
Undecided
Unassigned

Bug Description

[ MICRORELEASE PAGE ]
https://wiki.ubuntu.com/VirtualboxUpdates
[ SRU impact ]
* All vbox users, host and guest

[ Test plan ]
* Install virtualbox, run VMs

[ Possible regressions ]
* Upstream has a really good testsuite and in package history regressions were mostly never found, except for really minor bugs

[ Other Info ]
Sync vbox from Debian, fixing CVES

CVE-2023-21990 Oracle VM VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to 6.1.44, Prior to 7.0.8
CVE-2023-21987 Oracle VM VirtualBox Core None No 7.8 Local High Low None Changed High High High Prior to 6.1.44, Prior to 7.0.8
CVE-2022-42916 Oracle VM VirtualBox Core (cURL) HTTP Yes 7.5 Network Low None None Un-
changed High None None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-22002 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-21989 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-21998 Oracle VM VirtualBox Core None No 4.6 Local Low High None Changed Low Low None Prior to 6.1.44, Prior to 7.0.8 See Note 1
CVE-2023-22000 Oracle VM VirtualBox Core None No 4.6 Local Low High None Changed Low Low None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-22001 Oracle VM VirtualBox Core None No 4.6 Local Low High None Changed Low Low None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-21988 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-21999 Oracle VM VirtualBox Core None No 3.6 Local High Low None Un-
changed Low Low None Prior to 6.1.44, Prior to 7.0.8
CVE-2023-21991 Oracle VM VirtualBox Core None No 3.2 Local Low High None Changed Low None None Prior to 6.1.44, Prior to 7.0.8

See original description
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Also CVE-2022-43551 is fixed with CVE-2022-42916

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

CVE-2023-21991 CVE-2023-21999 CVE-2023-21988 CVE-2023-22001 CVE-2023-22000 CVE-2023-21998 CVE-2023-21989 CVE-2023-22002 CVE-2022-42916 CVE-2023-21987 CVE-2023-21990

summary: - [SRU] virtualbox
+ [SRU] virtualbox 7.0.8 and 6.1.44
Changed in virtualbox-hwe (Ubuntu Lunar):
status: New → Fix Committed
Gianfranco Costamagna (costamagnagianfranco)
description: updated
Changed in virtualbox-guest-additions-iso (Ubuntu Lunar):
status: New → Fix Committed
Changed in virtualbox-ext-pack (Ubuntu Lunar):
status: New → Fix Committed
Changed in virtualbox (Ubuntu Lunar):
status: New → Fix Committed
Gianfranco Costamagna (costamagnagianfranco)
information type: Public → Public Security
Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox-guest-additions-iso (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [SRU] virtualbox 7.0.8 and 6.1.44

https://launchpad.net/ubuntu/+source/virtualbox-guest-additions-iso/7.0.8-1 is in lunar release, so marking that task as fix released.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

To summarize the status on these 4 packages:

lunar unapproved:
virtualbox-7.0.8-1ubuntu1
virtualbox-hwe-7.0.8-dfsg-1ubuntu1.23.04.1

lunar-proposed:
virtualbox-ext-pack 7.0.8-1
last error in excuses is a dependency problem (probably on what's in unapproved)

lunar release:
virtualbox-guest-additions-iso 7.0.8-1
virtualbox-ext-pack 7.0.6-1
virtualbox-7.0.6-dfsg-1
virtualbox-hwe-7.0.6-dfsg-1ubuntu1.23.04.1

My first question is if virtualbox-guest-additions-iso is usable in lunar, given it's at version 7.0.8 and the test is at 7.0.6? Or, is the rest usable given -guest-additions-iso is ahead?

Second questions is if virtualbox has an MRE or some other SRU exception to allow such version bumps in a stable release? I didn't find anything about it in https://wiki.ubuntu.com/StableReleaseUpdates. Sorry, it's the first time I deal with a virtualbox SRU. I checked an older one, and apparently it was the same (https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1973275)

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Hello, we did ~10 SRU already, and I found this email in my mailbox (not sure why it didn't went through)

From: Gianfranco Costamagna <email address hidden>
To :Ubuntu-release
ven 10 giu 2022 alle ore 12:16

Hello, actually this request comes after we considered de facto virtualbox eligible for SRU.

We did SRU microreleases since even before 14.04, and probably even before the creation of the wiki page with the list of SRU tools.

So, after around 10 years of microreleases updates of virtualbox, virtualbox-lts-*, virtualbox-hwe, virtualbox-ext-pack, virtualbox-guest-additions-iso, I would like to
formally add them to the wiki page.

thanks

Gianfranco

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

src:virtualbox is both host and guest, but 7.0.6 is compatible with 7.0.8, so no issues w.r.t. guest additions pack being a different version.

However, for ext-pack in the past some incompatibilities between versions were spot, this is why I enforce ext-pack to be the same version as virtualbox, to make sure people upgrade them together.

Revision history for this message
Qwerty Chouskie (asdfghrbljzmkd) wrote :

Virtualbox is still at version 7.0.6, though oddly enough the Guest Additions ISO package (virtualbox-guest-additions-iso) is at 7.0.8, is there any ETA on getting everything up to 7.0.8 (or even 7.0.10)? 7.0.8 fixes some graphical artifacts when using a Windows 7 guest, and I'd rather not have to use a PPA tot get the fix.

Gianfranco Costamagna (costamagnagianfranco)
description: updated
summary: - [SRU] virtualbox 7.0.8 and 6.1.44
+ [SRU] virtualbox 7.0.10 and 6.1.46
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote : Re: [SRU] virtualbox 7.0.10 and 6.1.46

6.1.46 is uploaded for focal and jammy

Gianfranco Costamagna (costamagnagianfranco)
Changed in virtualbox (Ubuntu Kinetic):
status: New → Invalid
Changed in virtualbox-ext-pack (Ubuntu Kinetic):
status: New → Invalid
Changed in virtualbox-guest-additions-iso (Ubuntu Kinetic):
status: New → Invalid
Changed in virtualbox-hwe (Ubuntu Kinetic):
status: New → Invalid
Changed in virtualbox-guest-additions-iso (Ubuntu Lunar):
status: Fix Released → In Progress
Changed in virtualbox (Ubuntu Focal):
status: New → In Progress
Changed in virtualbox (Ubuntu Jammy):
status: New → In Progress
no longer affects: virtualbox (Ubuntu Kinetic)
no longer affects: virtualbox-guest-additions-iso (Ubuntu Kinetic)
Changed in virtualbox-ext-pack (Ubuntu Focal):
status: New → In Progress
Changed in virtualbox (Ubuntu Lunar):
status: Fix Committed → In Progress
Changed in virtualbox (Ubuntu):
status: Fix Committed → Fix Released
Changed in virtualbox-ext-pack (Ubuntu Jammy):
status: New → In Progress
Changed in virtualbox-ext-pack (Ubuntu Lunar):
status: Fix Committed → In Progress
Changed in virtualbox-ext-pack (Ubuntu):
status: Fix Committed → Fix Released
no longer affects: virtualbox-ext-pack (Ubuntu Kinetic)
no longer affects: virtualbox-hwe (Ubuntu Kinetic)
Changed in virtualbox-hwe (Ubuntu):
status: Fix Committed → Fix Released
Changed in virtualbox-guest-additions-iso (Ubuntu Focal):
status: New → In Progress
Changed in virtualbox-guest-additions-iso (Ubuntu Jammy):
status: New → In Progress
Changed in virtualbox-hwe (Ubuntu Focal):
status: New → In Progress
Changed in virtualbox-hwe (Ubuntu Jammy):
status: New → In Progress
Changed in virtualbox-hwe (Ubuntu Lunar):
status: Fix Committed → In Progress
Revision history for this message
Qwerty Chouskie (asdfghrbljzmkd) wrote :

> 6.1.46 is uploaded for focal and jammy

I just checked and both Focal and Jammy still seem to be at 6.1.38.

Revision history for this message
Qwerty Chouskie (asdfghrbljzmkd) wrote :

Both Focal and Jammy are still at 6.1.38. Also in the 7.0 series, 7.0.12 is now released.

summary: - [SRU] virtualbox 7.0.10 and 6.1.46
+ [SRU] Virtualbox 7.0.12 and 6.1.48
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.