MGASA-2018-0437

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2018-0437.html
Import Source
https://advisories.mageia.org/MGASA-2018-0437.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2018-0437
Related
  • CVE-2018-0732
  • CVE-2018-2909
  • CVE-2018-3287
  • CVE-2018-3288
  • CVE-2018-3289
  • CVE-2018-3290
  • CVE-2018-3291
  • CVE-2018-3292
  • CVE-2018-3293
  • CVE-2018-3294
  • CVE-2018-3295
  • CVE-2018-3296
  • CVE-2018-3297
  • CVE-2018-3298
Published
2018-11-03T11:55:18Z
Modified
2018-11-03T11:29:19Z
Summary
Updated virtualbox packages fix security vulnerabilities
Details

This update provides virtualbox 5.2.20 and fixes the following security vulnerabilities:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732).

Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with logon to the infrastructure where VirtualBox executes to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288, CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).

Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with llow privileged attacker with network access via VRDP to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-3294).

For other fixes in this update, see the referenced changelog.

References
Credits

Affected packages

Mageia:6 / virtualbox

Package

Name
virtualbox
Purl
pkg:rpm/mageia/virtualbox?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.20-1.mga6

Ecosystem specific 

{
    "section": "core"
}

Mageia:6 / kmod-virtualbox

Package

Name
kmod-virtualbox
Purl
pkg:rpm/mageia/kmod-virtualbox?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.20-1.mga6

Ecosystem specific 

{
    "section": "core"
}

Mageia:6 / kmod-vboxadditions

Package

Name
kmod-vboxadditions
Purl
pkg:rpm/mageia/kmod-vboxadditions?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.20-1.mga6

Ecosystem specific 

{
    "section": "core"
}