MGASA-2017-0390

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2017-0390.html
Import Source
https://advisories.mageia.org/MGASA-2017-0390.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2017-0390
Related
Published
2017-10-27T07:16:04Z
Modified
2017-10-27T06:35:07Z
Summary
Updated virtualbox packages fix security vulnerabilities
Details

This update provides the virtualbox 5.1.30 maintenance release, fixing security and other issues:

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack (CVE-2017-3730).

OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash (CVE-2017-3731).

OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BNmodexp() function. An attacker could exploit this vulnerability to obtain information about the private key (CVE-2017-3732).

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected (CVE-2017-3733)

A local user can exploit a flaw in the Oracle VM VirtualBox Core component to partially access data, partially modify data, and deny service (CVE-2017-10392, CVE-2017-10407, CVE-2017-10408).

A local user can exploit a flaw in the Oracle VM VirtualBox Core component to partially access data, partially modify data, and partially deny service (CVE-2017-10428).

For other fixes in this update see the referenced changelog.

References
Credits

Affected packages

Mageia:5 / virtualbox

Package

Name
virtualbox
Purl
pkg:rpm/mageia/virtualbox?distro=mageia-5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.30-1.mga5

Ecosystem specific 

{
    "section": "core"
}

Mageia:5 / kmod-vboxadditions

Package

Name
kmod-vboxadditions
Purl
pkg:rpm/mageia/kmod-vboxadditions?distro=mageia-5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.30-1.mga5

Ecosystem specific 

{
    "section": "core"
}

Mageia:5 / kmod-virtualbox

Package

Name
kmod-virtualbox
Purl
pkg:rpm/mageia/kmod-virtualbox?distro=mageia-5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.30-1.mga5

Ecosystem specific 

{
    "section": "core"
}

Mageia:6 / virtualbox

Package

Name
virtualbox
Purl
pkg:rpm/mageia/virtualbox?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.30-1.mga6

Ecosystem specific 

{
    "section": "core"
}

Mageia:6 / kmod-vboxadditions

Package

Name
kmod-vboxadditions
Purl
pkg:rpm/mageia/kmod-vboxadditions?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.30-1.mga6

Ecosystem specific 

{
    "section": "core"
}

Mageia:6 / kmod-virtualbox

Package

Name
kmod-virtualbox
Purl
pkg:rpm/mageia/kmod-virtualbox?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.30-1.mga6

Ecosystem specific 

{
    "section": "core"
}