[Bug 1517161] Re: virtualbox SRU for CVE

LocutusOfBorg costamagnagianfranco at yahoo.it
Sat Nov 21 17:58:08 UTC 2015 

Hi Tyler, well, I would like if possible to trash the ubuntu changelog,
and start from the exact debian security changelog + the ubuntu change.

e.g. for vivid I started from the trusty changelog, but vivid has an
ubuntu1 and ubuntu2 delta (that is already part of Debian changelogs)

I would appreciate if the above fixes can start from the debian virtualbox.git (jessie and wheezy branches)
http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git
but they are nitpicks, I'm not sure about how ubuntu likes rewriting changelogs of previous releases :)

(I'm an ubuntu vivid user x64 at this moment, I didn't upgrade to wily
yet).

So I did:

download the last trusty from ubuntu.com
install trusty x64 on a virtual machine
install virtualbox (the current one) inside
--fail because of the too new kernel (the dkms doesn't run successfully anymore)

installed virtualbox from my ppa
installed a trusty 32 bit inside my trusty VM,
upgraded everything, rebooted them both

everything was still running
(I also installed the guest-* modules IIRC)

for precise I did mostly the same
install precise in a VM
install the current virtualbox
install trusty 32 bit inside the virtualbox
poweroff the trusty VM inside the VM

upgraded virtualbox to the ppa version
rebooted the trusty VM
checked that everything was still running fine after the upgrade.

The problem about upgrades is that sometimes machines doesn't start anymore, but it should happen 
only between major releases, not minor.

For me it is safe to update, but well, it is an huge piece of software,
it might break on obscure operating systems, architectures, CPU, kernels
and so on...

So far the Debian work has been a complete success, so I think the Ubuntu same work will be too.
(and I have to say, upstream is really good at testing minor releases and keep the work done correctly, with no regressions)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1517161

Title:
  virtualbox SRU for CVE

Status in virtualbox package in Ubuntu:
  Confirmed

Bug description:
  SRU updates for Virtualbox,
  - fix all CVEs around the package (upstream refuses to give targeted fixes) cfr: debian #794466
  - ship kernel modules compatible with latest kernels (fixing e.g. 
  1457780 1358157 and the hundred of duplicates)
  - port the new virtualbox kernel modules features (from Adam Conrad) also to trusty, because now the kernel module is also provided by the kernel itself

  
  SRU:
  1) wily: update SRU to xenial  5.0.10-dfsg-2 (sync ongoing)

  No regression potential, just security fixes and bug fixes
  (upstream takes care of auto testing, and I usually test deeply virtualbox prior to release)

  2) vivid: is this needed? let me know, I can update it without issues
  (same update as the trusty one)

  3) trusty:
  update from 4.3.10 to 4.3.34

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  no notable differences a part of the changelog.

  testing has been fine, except for the part that I couldn't install the current virtualbox-dkms because of the build failures
  (now trusty images comes with shipped 3.19 that makes the dkms build fail).

  so, directly installed the 4.3.34 and everything was fine.

  4) precise:
  update from 4.1.12 to 4.1.44

  I started from the Debian version that landed in -security some time
  ago, and I rebased with the ubuntu changelogs.

  differences between debian for precise:
  changelog, version (debian has 4.1.42 ubuntu has 4.1.44, but this is a really minor difference)
  2 patches:
  - fix a build failure because LIBVNCSERVER_IPv6 is defined but there is no ipv6port exposed (this shouldn't be a problem to comment that part)

  - fix a runtime dkms build failure, because newer kernel such as
  trusty-lts has CONFIG_X86_SMAP defined, and virtualbox 4.1.x is known
  to *not* work with it.

  this is a "*regression*" in the kernel and virtualbox doesn't work also in 4.1.12 anymore with it
  (it affects broadwell/skylake cpus only).

  the real fix would be to upgrade to virtualbox 4.2, but since nobody
  so far complained about this problem, I guess we can avoid this major
  upgrade

  testing has been successful, I installed trusty on a vm, upgraded
  virtualbox to 4.1.44, and trusty was still starting ok, even with the
  old precise kernel, and the lts-trusty one.

  packages uploaded here
  https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/+packages

  
  I'm not happy with this request, but well, I monitor for bugs, and I guess I'll continue doing my best in keeping virtualbox working correctly (I couldn't before because I was forced by the MRE updates impossibility)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161/+subscriptions

More information about the Ubuntu-sponsors mailing list