Security update for virtualbox SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0165-1 Final 1 1 2021-01-25T19:01:06Z current 2021-01-25T19:01:06Z 2021-01-25T19:01:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for virtualbox This update for virtualbox fixes the following issues: Version update to 6.1.18 (released January 19 2021) This is a maintenance release. The following items were fixed and/or added: - Nested VM: Fixed hangs when executing SMP nested-guests under certain conditions on Intel hosts (bug #19315, #19561) - OCI integration: Cloud Instance parameters parsing is improved on import (bug #19156) - Network: UDP checksum offloading in e1000 no longer produces zero checksums (bug #19930) - Network: Fixed Host-Only Ethernet Adapter DHCP, guest os can not get IP on host resume (bug #19620) - NAT: Fixed mss parameter handing (bug #15256) - macOS host: Multiple optimizations for BigSur - Audio: Fixed issues with audio playback after host goes to sleep (bug #18594) - Documentation: Some content touch-up and table formatting fixes - Linux host and guest: Support kernel version 5.10 (bug #20055) - Solaris host: Fix regression breaking VGA text mode since version 6.1.0 - Guest Additions: Fixed a build failure affecting CentOS 8.2-2004 and later (bug #20091) - Guest Additions: Fixed a build failure affecting Linux kernels 3.2.0 through 3.2.50 (bug #20006) - Guest Additions: Fixed a VM segfault on copy with shared clipboard with X11 (bug #19226) - Shared Folder: Fixed error with remounting on Linux guests - Fixes CVE-2021-2074, boo#1181197 and CVE-2021-2129, boo#1181198. - Disable build of guest modules. These are included in recent kernels - Fix additional mouse control dialog issues. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-165 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UOZDUDAVWBPMEHQXT2I4NXOMGVCWB5BM/ E-Mail link for openSUSE-SU-2021:0165-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181197 SUSE Bug 1181197 https://bugzilla.suse.com/1181198 SUSE Bug 1181198 https://www.suse.com/security/cve/CVE-2021-2074/ SUSE CVE CVE-2021-2074 page https://www.suse.com/security/cve/CVE-2021-2129/ SUSE CVE CVE-2021-2129 page openSUSE Leap 15.2 python3-virtualbox-6.1.18-lp152.2.11.1 virtualbox-6.1.18-lp152.2.11.1 virtualbox-devel-6.1.18-lp152.2.11.1 virtualbox-guest-desktop-icons-6.1.18-lp152.2.11.1 virtualbox-guest-tools-6.1.18-lp152.2.11.1 virtualbox-guest-x11-6.1.18-lp152.2.11.1 virtualbox-host-source-6.1.18-lp152.2.11.1 virtualbox-kmp-default-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 virtualbox-kmp-preempt-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 virtualbox-qt-6.1.18-lp152.2.11.1 virtualbox-vnc-6.1.18-lp152.2.11.1 virtualbox-websrv-6.1.18-lp152.2.11.1 python3-virtualbox-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-devel-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-guest-desktop-icons-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-guest-tools-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-guest-x11-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-host-source-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-kmp-default-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-kmp-preempt-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-qt-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-vnc-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 virtualbox-websrv-6.1.18-lp152.2.11.1 as a component of openSUSE Leap 15.2 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2021-2074 openSUSE Leap 15.2:python3-virtualbox-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-devel-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-guest-desktop-icons-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-guest-tools-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-guest-x11-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-host-source-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-kmp-default-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-kmp-preempt-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-qt-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-vnc-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-websrv-6.1.18-lp152.2.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UOZDUDAVWBPMEHQXT2I4NXOMGVCWB5BM/ https://www.suse.com/security/cve/CVE-2021-2074.html CVE-2021-2074 https://bugzilla.suse.com/1181197 SUSE Bug 1181197 https://bugzilla.suse.com/1181199 SUSE Bug 1181199 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 7.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N). CVE-2021-2129 openSUSE Leap 15.2:python3-virtualbox-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-devel-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-guest-desktop-icons-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-guest-tools-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-guest-x11-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-host-source-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-kmp-default-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-kmp-preempt-6.1.18_k5.3.18_lp152.60-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-qt-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-vnc-6.1.18-lp152.2.11.1 openSUSE Leap 15.2:virtualbox-websrv-6.1.18-lp152.2.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UOZDUDAVWBPMEHQXT2I4NXOMGVCWB5BM/ https://www.suse.com/security/cve/CVE-2021-2129.html CVE-2021-2129 https://bugzilla.suse.com/1181198 SUSE Bug 1181198 https://bugzilla.suse.com/1181199 SUSE Bug 1181199