[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-MGASA-2016-0408":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":60,"duplicates":61,"related":62,"reserved_at":9,"published_at":86,"modified_at":87,"state":9,"summary":88,"references_raw":90,"kevs":111,"epss":9,"epss_history":112,"metrics":113,"affected":114},"MGASA-2016-0408","Updated virtualbox packages fixes security vulnerabilities\n\nThis update provides virtualbox 5.1.10 maintenance release and resolves\nat least the following security issues:\n\nOpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer\nboundary checks, which might allow remote attackers to cause a denial of\nservice (integer overflow and application crash) or possibly have\nunspecified other impact by leveraging unexpected malloc behavior, related\nto s3_srvr.c, ssl_sess.c, and t1_lib.c (CVE-2016-2177).\n\nThe dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through\n1.0.2h does not properly ensure the use of constant-time operations, which\nmakes it easier for local users to discover a DSA private key via a timing\nside-channel attack (CVE-2016-2178).\n\nThe DTLS implementation in OpenSSL before 1.1.0 does not properly restrict\nthe lifetime of queue entries associated with unused out-of-order messages,\nwhich allows remote attackers to cause a denial of service (memory\nconsumption) by maintaining many crafted DTLS sessions simultaneously,\nrelated to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c\n(CVE-2016-2179).\n\nThe TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key\nInfrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through\n1.0.2h allows remote attackers to cause a denial of service (out-of-bounds\nread and application crash) via a crafted time-stamp file that is mishandled\nby the \"openssl ts\" command (CVE-2016-2180).\n\nThe Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0\nmishandles early use of a new epoch number in conjunction with a large\nsequence number, which allows remote attackers to cause a denial of service\n(false-positive packet drops) via spoofed DTLS records, related to\nrec_layer_d1.c and ssl3_record.c (CVE-2016-2181).\n\nThe Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0\nmishandles early use of a new epoch number in conjunction with a large\nsequence number, which allows remote attackers to cause a denial of service\n(false-positive packet drops) via spoofed DTLS records, related to\nrec_layer_d1.c and ssl3_record.c (CVE-2016-2182).\n\nThe DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols\nand other protocols and products, have a birthday bound of approximately\nfour billion blocks, which makes it easier for remote attackers to obtain\ncleartext data via a birthday attack against a long-duration encrypted\nsession, as demonstrated by an HTTPS session using Triple DES in CBC mode,\naka a \"Sweet32\" attack (CVE-2016-2183).\n\nUnspecified vulnerability in the Oracle VM VirtualBox component before\n5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users\nto affect confidentiality, integrity, and availability via vectors related\nto Core, a different vulnerability than CVE-2016-5538 (CVE-2016-5501).\n\nUnspecified vulnerability in the Oracle VM VirtualBox component before\n5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users\nto affect confidentiality, integrity, and availability via vectors related\nto Core, a different vulnerability than CVE-2016-5501 (CVE-2016-5538).\n\nUnspecified vulnerability in the Oracle VM VirtualBox component before \n5.1.4 in Oracle Virtualization allows remote attackers to affect\nconfidentiality and integrity via vectors related to VRDE (CVE-2016-5605).\n\nUnspecified vulnerability in the Oracle VM VirtualBox component before\n5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users\nto affect availability via vectors related to Core, a different\nvulnerability than CVE-2016-5613 (CVE-2016-5608).\n\nUnspecified vulnerability in the Oracle VM VirtualBox component before\n5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users\nto affect confidentiality, integrity, and availability via vectors related\nto Core (CVE-2016-5610, CVE-2016-5611)\n\nUnspecified vulnerability in the Oracle VM VirtualBox component before\n5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users\nto affect availability via vectors related to Core, a different\nvulnerability than CVE-2016-5608 (CVE-2016-5613).\n\nThe tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0\ndoes not consider the HMAC size during validation of the ticket length,\nwhich allows remote attackers to cause a denial of service via a ticket\nthat is too short (CVE-2016-6302).\n\nInteger overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c\nin OpenSSL before 1.1.0 allows remote attackers to cause a denial of\nservice (out-of-bounds write and application crash) or possibly have\nunspecified other impact via unknown vectors (CVE-2016-6303).\n\nMultiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before\n1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial\nof service (memory consumption) via large OCSP Status Request extensions\n(CVE-2016-6304).\n\nThe ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0\nbefore 1.1.0a allows remote attackers to cause a denial of service\n(infinite loop) by triggering a zero-length record in an SSL_peek call\n(CVE-2016-6305).\n\nThe certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i\nmight allow remote attackers to cause a denial of service (out-of-bounds\nread) via crafted certificate operations, related to s3_clnt.c and\ns3_srvr.c (CVE-2016-6306).\n\nThe state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates\nmemory before checking for an excessive length, which might allow remote\nattackers to cause a denial of service (memory consumption) via crafted\nTLS messages, related to statem/statem.c and statem/statem_lib.c\n(CVE-2016-6307).\n\nstatem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before\n1.1.0a allocates memory before checking for an excessive length, which\nmight allow remote attackers to cause a denial of service (memory\nconsumption) via crafted DTLS messages (CVE-2016-6308).\n\nstatem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement\nafter a realloc call, which allows remote attackers to cause a denial of\nservice (use-after-free) or possibly execute arbitrary code via a crafted\nTLS session (CVE-2016-6309).\n\ncrypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause\na denial of service (NULL pointer dereference and application crash) by\ntriggering a CRL operation (CVE-2016-7052).\n\nFor other fixes in this update, read the referenced changelog.\n",null,[],[],[],[14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58],{"_key":15},"CVE-2016-2177",{"_key":17},"CVE-2016-2178",{"_key":19},"CVE-2016-2179",{"_key":21},"CVE-2016-2180",{"_key":23},"CVE-2016-2181",{"_key":25},"CVE-2016-2182",{"_key":27},"CVE-2016-2183",{"_key":29},"CVE-2016-5501",{"_key":31},"CVE-2016-5538",{"_key":33},"CVE-2016-5605",{"_key":35},"CVE-2016-5608",{"_key":37},"CVE-2016-5610",{"_key":39},"CVE-2016-5611",{"_key":41},"CVE-2016-5613",{"_key":43},"CVE-2016-6302",{"_key":45},"CVE-2016-6303",{"_key":47},"CVE-2016-6304",{"_key":49},"CVE-2016-6305",{"_key":51},"CVE-2016-6306",{"_key":53},"CVE-2016-6307",{"_key":55},"CVE-2016-6308",{"_key":57},"CVE-2016-6309",{"_key":59},"CVE-2016-7052",[],[],[63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85],{"_key":15},{"_key":17},{"_key":19},{"_key":21},{"_key":23},{"_key":25},{"_key":27},{"_key":29},{"_key":31},{"_key":33},{"_key":35},{"_key":37},{"_key":39},{"_key":41},{"_key":43},{"_key":45},{"_key":47},{"_key":49},{"_key":51},{"_key":53},{"_key":55},{"_key":57},{"_key":59},"2016-12-05T21:49:27Z","2026-04-16T06:25:08.342906879Z",{"cisa_kev":89,"cisa_ransomware":89,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[91,97,102,106],{"url":92,"sources":93,"tags":95},"https://advisories.mageia.org/MGASA-2016-0408.html",[94],"osv_mageia",[96],"Advisory",{"url":98,"sources":99,"tags":100},"https://bugs.mageia.org/show_bug.cgi?id=19213",[94],[101],"REPORT",{"url":103,"sources":104,"tags":105},"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html",[94],[101,96],{"url":107,"sources":108,"tags":109},"https://www.virtualbox.org/wiki/Changelog",[94],[101,110],"WEB",[],[],[],[115,127,131],{"ecosystem":116,"name":117,"vendor":118,"product":117,"cpe_part":9,"purl_type":119,"purl_namespace":118,"purl_name":117,"source":9,"versions":120},"Mageia","kmod-vboxadditions","mageia","rpm",[121],{"version":122,"is_range":123,"range_type":124,"version_start":9,"version_start_type":9,"version_end":125,"version_end_type":126,"fixed_in":9},"lt5_1_10_1_1_mga5",true,"ecosystem","5.1.10-1.1.mga5","excluding",{"ecosystem":116,"name":128,"vendor":118,"product":128,"cpe_part":9,"purl_type":119,"purl_namespace":118,"purl_name":128,"source":9,"versions":129},"kmod-virtualbox",[130],{"version":122,"is_range":123,"range_type":124,"version_start":9,"version_start_type":9,"version_end":125,"version_end_type":126,"fixed_in":9},{"ecosystem":116,"name":132,"vendor":118,"product":132,"cpe_part":9,"purl_type":119,"purl_namespace":118,"purl_name":132,"source":9,"versions":133},"virtualbox",[134],{"version":122,"is_range":123,"range_type":124,"version_start":9,"version_start_type":9,"version_end":125,"version_end_type":126,"fixed_in":9}]