openSUSE Security Update: Security update for virtualbox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1451-1 Rating: moderate References: #976636 #977200 #977328 Cross-References: CVE-2016-0678 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: virtualbox was updated to 5.0.18 and also fixes the following issues: Version bump to 5.0.18 (released 2016-04-18 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: position off-screen windows to be fully visible again on relaunch in consistence with default-behavior (bug #15226) GUI: fixed the View menu / Full-screen Mode behavior on Mac OS X El Capitan GUI: fixed a test which allowed to encrypt a hard disk with an empty password GUI: fixed a crash under certain conditions during VM shutdown GUI: fixed the size of the VM list scrollbar in the VM selector when entering a group PC speaker passthrough: fixes (Linux hosts only; bug #627) Drag and drop: several fixes SATA: fixed hotplug flag handling when EFI is used Storage: fixed handling of encrypted disk images with SCSI controllers (bug #14812) Storage: fixed possible crash with Solaris 7 if the BusLogic SCSI controller is used USB: properly purge non-ASCII characters from USB strings (bugs #8801, #15222) NAT Network: fixed 100% CPU load in VBoxNetNAT on Mac OS X under certain circumstances (bug #15223) ACPI: fixed ACPI tables to make the display color management settings available again for older Windows versions (4.3.22 regression) Guest Control: fixed VBoxManage copyfrom command (bug #14336) Snapshots: fixed several problems when removing older snapshots (bug #15206) VBoxManage: fixed --verbose output of the guestcontrol command Windows hosts: hardening fixes required for recent Windows 10 insider builds (bugs #15245, #15296) Windows hosts: fixed support of jumbo frames in with bridged networking (5.0.16 regression; bug #15209) Windows hosts: don't prevent receiving multicast traffic if host-only adapters are installed (bug #8698) Linux hosts: added support for the new naming scheme of NVME disks when creating raw disks Solaris hosts / guests: properly sign the kernel modules (bug #12608) Linux hosts / guests: Linux 4.5 fixes (bug #15251) Linux hosts / guests: Linux 4.6 fixes (bug #15298) Linux Additions: added a kernel graphics driver to support graphics when X.Org does not have root rights (bug #14732) Linux/Solaris Additions: fixed several issues causing Linux/Solatis guests using software rendering when 3D acceleration is available Windows Additions: fixed a hang with PowerPoint 2010 and the WDDM drivers if Aero is disabled Additional bugfixes: * Fix start failure of vboxadd service routine This script fails because /var/lib/VBoxGuestAdditions/config does not exist; however, there is no need for this file. That service routine is modified. (boo#977328). * Add missing initialization of scanout buffer base and size for proper fbdev support. * Add support for delayed_io in fbdev-layer. (boo#977200). - This submission fixes the bug in VB 5.0.18 that prevents proper operation for guest VMs configured to use a LsiLogic adapter for disks. See ticket: https://www.virtualbox.org/ticket/15317 for a description of the problem, and changeset: https://www.virtualbox.org/changeset/60565/vbox for the fix, which is implemented in file "changeset_60565.diff". This update contains a fix for CVE-2016-0678. Bug report boo#976636 discusses this vulnerability. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-666=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (x86_64): python-virtualbox-5.0.18-16.1 python-virtualbox-debuginfo-5.0.18-16.1 virtualbox-5.0.18-16.1 virtualbox-debuginfo-5.0.18-16.1 virtualbox-debugsource-5.0.18-16.1 virtualbox-devel-5.0.18-16.1 virtualbox-guest-kmp-default-5.0.18_k4.1.21_14-16.1 virtualbox-guest-kmp-default-debuginfo-5.0.18_k4.1.21_14-16.1 virtualbox-guest-tools-5.0.18-16.1 virtualbox-guest-tools-debuginfo-5.0.18-16.1 virtualbox-guest-x11-5.0.18-16.1 virtualbox-guest-x11-debuginfo-5.0.18-16.1 virtualbox-host-kmp-default-5.0.18_k4.1.21_14-16.1 virtualbox-host-kmp-default-debuginfo-5.0.18_k4.1.21_14-16.1 virtualbox-qt-5.0.18-16.1 virtualbox-qt-debuginfo-5.0.18-16.1 virtualbox-websrv-5.0.18-16.1 virtualbox-websrv-debuginfo-5.0.18-16.1 - openSUSE Leap 42.1 (noarch): virtualbox-guest-desktop-icons-5.0.18-16.1 virtualbox-host-source-5.0.18-16.1 References: https://www.suse.com/security/cve/CVE-2016-0678.html https://bugzilla.suse.com/976636 https://bugzilla.suse.com/977200 https://bugzilla.suse.com/977328