MGASA-2021-0488 - Updated virtualbox packages fix security vulnerabilities

Publication date: 23 Oct 2021
URL: https://advisories.mageia.org/MGASA-2021-0488.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-2475,
     CVE-2021-35538,
     CVE-2021-35540,
     CVE-2021-35542,
     CVE-2021-35545

This update provides the upstream 6.1.28 maintenance release that fixes
atleast the following security vulnerabilities:

Vulnerability in the Oracle VM VirtualBox prior to 6.1.28 contains an
easily exploitable vulnerability that allows high privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of Oracle VM VirtualBox (CVE-2021-2475, CVE-2021-35542).

Vulnerability in the Oracle VM VirtualBox prior to 6.1.28 contains an easily
exploitable vulnerability that allows low privileged attacker with logon to
the infrastructure where Oracle VM VirtualBox executes to compromise Oracle
VM VirtualBox. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox (CVE-2021-35538).

Vulnerability in the Oracle VM VirtualBox prior to 6.1.28 contains an easily
exploitable vulnerability that allows low privileged attacker with logon to
the infrastructure where Oracle VM VirtualBox executes to compromise Oracle
VM VirtualBox. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle VM VirtualBox (CVE-2021-35540).

Vulnerability in the Oracle VM VirtualBox prior to 6.1.28 contains an easily
exploitable vulnerability that allows high privileged attacker with logon to
the infrastructure where Oracle VM VirtualBox executes to compromise Oracle
VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks
may significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of Oracle VM VirtualBox and
unauthorized read access to a subset of Oracle VM VirtualBox accessible
data (CVE-2021-35545).

For other upstream fixes in this update, see the referenced changelog.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29566
- https://www.virtualbox.org/wiki/Changelog-6.1#v28
- https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixOVIR
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2475
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35538
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35540
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35542
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35545

SRPMS:
- 8/core/virtualbox-6.1.28-1.mga8
- 8/core/kmod-virtualbox-6.1.28-1.mga8