openSUSE Security Update: Security update for virtualbox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0033-1 Rating: important References: Cross-References: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886 CVE-2023-21889 CVE-2023-21898 CVE-2023-21899 CVSS scores: CVE-2023-21884 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2023-21885 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2023-21886 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-21889 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2023-21898 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-21899 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for virtualbox fixes the following issues: VirtualBox 7.0.6 (released January 17 2023) This is a maintenance release. The following items were fixed and/or added: [1] - VMM: Fixed guru running the FreeBSD loader on older Intel CPUs without unrestricted guest support (bug #21332) - GUI: Fixed virtual machines grouping when VM was created or modified in command line (bugs #11500, #20933) - GUI: Introduced generic changes in settings dialogs - VirtioNet: Fixed broken network after loading saved state (bug #21172) - Storage: Added support for increasing the size of the following VMDK image variants: monolithicFlat, monolithicSparse, twoGbMaxExtentSparse, twoGbMaxExtentFlat - VBoxManage: Added missing --directory switch for guestcontrol mktemp command - Mouse Integration: Guest was provided with extended host mouse state (bug #21139) - DnD: Introduced generic improvements - Guest Control: Fixed handling creation mode for temporary directories (bug #21394) - Linux Host and Guest: Added initial support for building UEK7 kernel on Oracle Linux 8 - Linux Host and Guest: Added initial support for RHEL 9.1 kernel - Linux Guest Additions: Added initial support for kernel 6.2 for vboxvideo - Audio: The "--audio" option in VBoxManage is now marked as deprecated; please use "--audio-driver" and "--audio-enabled" instead. This will allow more flexibility when changing the driver and/or controlling the audio functionality Additionally, it fixes 6 CVE's: CVE-2023-21886, CVE-2023-21898, CVE-2023-21899, CVE-2023-21884, CVE-2023-21885, CVE-2023-21889 Links: [1] https://www.virtualbox.org/wiki/Changelog-7.0#v6 [2] https://www.oracle.com/security-alerts/cpujan2023.html#AppendixOVIR Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-2023-33=1 Package List: - openSUSE Leap 15.4 (x86_64): python3-virtualbox-7.0.6-lp154.2.26.2 python3-virtualbox-debuginfo-7.0.6-lp154.2.26.2 virtualbox-7.0.6-lp154.2.26.2 virtualbox-debuginfo-7.0.6-lp154.2.26.2 virtualbox-debugsource-7.0.6-lp154.2.26.2 virtualbox-devel-7.0.6-lp154.2.26.2 virtualbox-guest-tools-7.0.6-lp154.2.26.2 virtualbox-guest-tools-debuginfo-7.0.6-lp154.2.26.2 virtualbox-kmp-debugsource-7.0.6-lp154.2.26.2 virtualbox-kmp-default-7.0.6_k5.14.21_150400.24.41-lp154.2.26.2 virtualbox-kmp-default-debuginfo-7.0.6_k5.14.21_150400.24.41-lp154.2.26.2 virtualbox-qt-7.0.6-lp154.2.26.2 virtualbox-qt-debuginfo-7.0.6-lp154.2.26.2 virtualbox-vnc-7.0.6-lp154.2.26.2 virtualbox-websrv-7.0.6-lp154.2.26.2 virtualbox-websrv-debuginfo-7.0.6-lp154.2.26.2 - openSUSE Leap 15.4 (noarch): virtualbox-guest-desktop-icons-7.0.6-lp154.2.26.2 virtualbox-guest-source-7.0.6-lp154.2.26.2 virtualbox-host-source-7.0.6-lp154.2.26.2 References: https://www.suse.com/security/cve/CVE-2023-21884.html https://www.suse.com/security/cve/CVE-2023-21885.html https://www.suse.com/security/cve/CVE-2023-21886.html https://www.suse.com/security/cve/CVE-2023-21889.html https://www.suse.com/security/cve/CVE-2023-21898.html https://www.suse.com/security/cve/CVE-2023-21899.html