MGASA-2018-0437
Vulnerability Summary
Timeline
Description
Updated virtualbox packages fix security vulnerabilities This update provides virtualbox 5.2.20 and fixes the following security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732). Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with logon to the infrastructure where VirtualBox executes to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288, CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298). Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with llow privileged attacker with network access via VRDP to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-3294). For other fixes in this update, see the referenced changelog.
Affected Systems
- mageia•kmod-vboxadditions
< 5.2.20-1.mga6
- mageia•kmod-virtualbox
< 5.2.20-1.mga6
- mageia•virtualbox
< 5.2.20-1.mga6