- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202004-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: VirtualBox: Multiple vulnerabilities Date: April 01, 2020 Bugs: #714064 ID: 202004-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in VirtualBox, the worst of which could allow an attacker to take control of VirtualBox. Background ========== VirtualBox is a powerful virtualization product from Oracle. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/virtualbox < 6.1.2 *>= 5.2.36 *>= 6.0.16 *>= 6.1.2 2 app-emulation/virtualbox-bin < 6.1.2 *>= 5.2.36 *>= 6.0.16 *>= 6.1.2 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. Impact ====== An attacker could take control of VirtualBox resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, or other unspecified impacts. Workaround ========== There is no known workaround at this time. Resolution ========== All VirtualBox 5.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/virtualbox-5.2.36" All VirtualBox 6.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/virtualbox-6.0.16" All VirtualBox 6.1.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.2" All VirtualBox binary 5.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/virtualbox-bin-5.2.36" All VirtualBox binary 6.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/virtualbox-bin-6.0.16" All VirtualBox binary 6.1.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/virtualbox-bin-6.1.2" References ========== [ 1 ] CVE-2019-2926 https://nvd.nist.gov/vuln/detail/CVE-2019-2926 [ 2 ] CVE-2019-2944 https://nvd.nist.gov/vuln/detail/CVE-2019-2944 [ 3 ] CVE-2019-2984 https://nvd.nist.gov/vuln/detail/CVE-2019-2984 [ 4 ] CVE-2019-3002 https://nvd.nist.gov/vuln/detail/CVE-2019-3002 [ 5 ] CVE-2019-3005 https://nvd.nist.gov/vuln/detail/CVE-2019-3005 [ 6 ] CVE-2019-3017 https://nvd.nist.gov/vuln/detail/CVE-2019-3017 [ 7 ] CVE-2019-3021 https://nvd.nist.gov/vuln/detail/CVE-2019-3021 [ 8 ] CVE-2019-3026 https://nvd.nist.gov/vuln/detail/CVE-2019-3026 [ 9 ] CVE-2019-3028 https://nvd.nist.gov/vuln/detail/CVE-2019-3028 [ 10 ] CVE-2019-3031 https://nvd.nist.gov/vuln/detail/CVE-2019-3031 [ 11 ] CVE-2020-2674 https://nvd.nist.gov/vuln/detail/CVE-2020-2674 [ 12 ] CVE-2020-2678 https://nvd.nist.gov/vuln/detail/CVE-2020-2678 [ 13 ] CVE-2020-2681 https://nvd.nist.gov/vuln/detail/CVE-2020-2681 [ 14 ] CVE-2020-2682 https://nvd.nist.gov/vuln/detail/CVE-2020-2682 [ 15 ] CVE-2020-2689 https://nvd.nist.gov/vuln/detail/CVE-2020-2689 [ 16 ] CVE-2020-2690 https://nvd.nist.gov/vuln/detail/CVE-2020-2690 [ 17 ] CVE-2020-2691 https://nvd.nist.gov/vuln/detail/CVE-2020-2691 [ 18 ] CVE-2020-2692 https://nvd.nist.gov/vuln/detail/CVE-2020-2692 [ 19 ] CVE-2020-2693 https://nvd.nist.gov/vuln/detail/CVE-2020-2693 [ 20 ] CVE-2020-2698 https://nvd.nist.gov/vuln/detail/CVE-2020-2698 [ 21 ] CVE-2020-2702 https://nvd.nist.gov/vuln/detail/CVE-2020-2702 [ 22 ] CVE-2020-2703 https://nvd.nist.gov/vuln/detail/CVE-2020-2703 [ 23 ] CVE-2020-2704 https://nvd.nist.gov/vuln/detail/CVE-2020-2704 [ 24 ] CVE-2020-2705 https://nvd.nist.gov/vuln/detail/CVE-2020-2705 [ 25 ] CVE-2020-2725 https://nvd.nist.gov/vuln/detail/CVE-2020-2725 [ 26 ] CVE-2020-2726 https://nvd.nist.gov/vuln/detail/CVE-2020-2726 [ 27 ] CVE-2020-2727 https://nvd.nist.gov/vuln/detail/CVE-2020-2727 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202004-02 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5