openSUSE Security Update: Security update for virtualbox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:2935-1 Rating: moderate References: #1005621 Cross-References: CVE-2016-5501 CVE-2016-5538 CVE-2016-5605 CVE-2016-5608 CVE-2016-5610 CVE-2016-5611 CVE-2016-5613 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for virtualbox fixes the following issues: - Fixes CVE-2016-5501,CVE-2016-5538,CVE-2016-5605,CVE-2016-5608,CVE-2016-5610,CVE-2 016-5611,CVE-2016-5613 (bsc#1005621) - Add patch to limit number of simultaneous make jobs. - Version bump to 5.1.8 (released 2016-10-18 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: fixed keyboard shortcut handling regressions (Mac OS X hosts only; bugs #15937 and #15938) GUI: fixed keyboard handling regression for separate UI (Windows hosts only; bugs #15928) NAT: don't exceed the maximum number of "search" suffixes. Patch from bug #15948. NAT: fixed parsing of port-forwarding rules with a name which contains a slash (bug #16002) NAT Network: when the host has only loopback nameserver that cannot be mapped to the guests (e.g. dnsmasq running on 127.0.1.1), make DHCP supply NAT Network DNS proxy as nameserver. Bridged Network: prevent flooding syslog with packet allocation error messages (bug #15569) Audio: now using Audio Queues on Mac OS X hosts Audio: fixed recording with the PulseAudio backend (5.1 regression) Audio: various bugfixes Snapshots: fixed regression in 5.1.4 for deleting snapshots with several disks (bug #15831) Snapshots: crash fix and better error reporting when snapshot deletion failed Storage: some fixes for the NVMe emulation with Windows guests API: fixed initialization of SAS controllers (bug #15972) Build system: make it possible to build VBox on systems which default to Python 3 Windows Additions / VGA: if the guest's power management turns a virtual screen off, blank the corresponding VM window rather than hide the window Windows Additions: fixed a generic bug which could lead to freezing shared folders (bug #15662) Linux hosts / guests: fix for kernels with CONFIG_CPUMASK_OFFSTACK set (bug #16020) Linux Additions: don't require all virtual consoles be in text mode. This should fix cases when the guest is booted with a graphical boot screen (bug #15683) Linux Additions: added depmod overrides for the vboxguest and vboxsf kernel modules to fix conflicts with modules shipped by certain Linux distributions X11 Additions: disable 3D on the guest if the host does not provide enough capabilities (bug #15860) - Builds keep running out of memory when building the web server part of the package. To help the memory pressure, I have forced make to run with "-j2", rather than use the number of processors. Such a change will slow the build, but will result in a higher rate of success. - Increase memory allowed in build to 10000 MB. - Remove file "fix_removal_of_DEFINE_PCI_DEVICE_TABLE" - fixed upstream. - Version bump to 5.1.6 (released 2016-09-12 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: fixed issue with opening '.vbox' files and it's aliases GUI: keyboard grabbing fixes (bugs #15771 and #15745) GUI: fix for passing through Ctrl + mouse-click (Mac OS X hosts only; bug #15714) GUI: fixed automatic deletion of extension pack files (bugs #11352 and #14742) USB: fixed showing unknown device instead of the manufacturer or product description under certain circumstances (5.1.0 regression; bug #15764) XHCI: another fix for a hanging guest under certain conditions as result of the fix for bug #15747, this time for Windows 7 guests Serial: fixed high CPU usage with certain USB to serial converters on Linux hosts (bug #7796) Storage: fixed attaching stream optimized VMDK images (bug #14764) Storage: reject image variants which are unsupported by the backend (bug #7227) Storage: fixed loading saved states created with VirtualBox 5.0.10 and older when using a SCSI controller (bug #15865) Storage: fixed broken NVMe emulation if the host I/O cache setting is enabled Storage: fixed using multiple NVMe controllers if ICH9 is used NVMe: fixed a crash during reset which could happen under certain circumstances Audio: fixed microphone input (5.1.2 regression; bugs #14386 and #15802) Audio: fixed crashes under certain conditions (5.1.0 regression; bug #15887 and others) Audio: fixed recording with the ALSA backend (5.1 regression) Audio: fixed stream access mode with OSS backend (5.1 regression, thanks to Jung-uk Kim) E1000: do also return masked bits when reading the ICR register, this fixes booting from iPXE (5.1.2 regression; bug #15846) BIOS: fixed 4bpp scanline calculation (bug #15787) API: relax the check for the version attribute in OVF/OVA appliances (bug #15856) Windows hosts: fixed crashes when terminating the VM selector or other VBox COM clients (bug #15726 and others) Linux Installer: fixed path to the documentation in .rpm packages (5.1.0 regression) Linux Installer: fixed the vboxdrv.sh script to prevent an SELinux complaint (bug #15816) Linux hosts: don't use 32-bit legacy capabilities Linux Additions: Linux 4.8 fix for the kernel display driver (bugs #15890 and #15896) Linux Additions: don't load the kernel modules provided by the Linux distribution but load the kernel modules from the official Guest Additions package instead (bug #15324) Linux Additions: fix dynamic resizing problems in recent Linux guests (bug #15875) User Manual: fixed error in the VBoxManage chapter for the getextradata enumerate example (bug #15862) - Add file "fix_removal_of_DEFINE_PCI_DEVICE_TABLE" to compile on kernel 4.8. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2016-1366=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (noarch): virtualbox-guest-desktop-icons-5.1.8-3.3 virtualbox-host-source-5.1.8-3.3 - openSUSE Leap 42.2 (x86_64): python-virtualbox-5.1.8-3.3 python-virtualbox-debuginfo-5.1.8-3.3 virtualbox-5.1.8-3.3 virtualbox-debuginfo-5.1.8-3.3 virtualbox-debugsource-5.1.8-3.3 virtualbox-devel-5.1.8-3.3 virtualbox-guest-kmp-default-5.1.8_k4.4.27_2-3.3 virtualbox-guest-kmp-default-debuginfo-5.1.8_k4.4.27_2-3.3 virtualbox-guest-tools-5.1.8-3.3 virtualbox-guest-tools-debuginfo-5.1.8-3.3 virtualbox-guest-x11-5.1.8-3.3 virtualbox-guest-x11-debuginfo-5.1.8-3.3 virtualbox-host-kmp-default-5.1.8_k4.4.27_2-3.3 virtualbox-host-kmp-default-debuginfo-5.1.8_k4.4.27_2-3.3 virtualbox-qt-5.1.8-3.3 virtualbox-qt-debuginfo-5.1.8-3.3 virtualbox-websrv-5.1.8-3.3 virtualbox-websrv-debuginfo-5.1.8-3.3 References: https://www.suse.com/security/cve/CVE-2016-5501.html https://www.suse.com/security/cve/CVE-2016-5538.html https://www.suse.com/security/cve/CVE-2016-5605.html https://www.suse.com/security/cve/CVE-2016-5608.html https://www.suse.com/security/cve/CVE-2016-5610.html https://www.suse.com/security/cve/CVE-2016-5611.html https://www.suse.com/security/cve/CVE-2016-5613.html https://bugzilla.suse.com/1005621