Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <[email protected]>
and subject line Closing bugs for requests included in the EoL jessie point
release
has caused the Debian Bug report #831459,
regarding jessie-pu: package virtualbox-guest-additions-iso
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
831459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831459
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Forwarding the email from security team.
the debdiff is the new iso file and a new changelog entry, nothing more.
you can grab the file from here
http://debomatic-amd64.debian.net/distribution#stable/virtualbox-guest-additions-iso/4.3.36-1+deb8u1/buildlog
this is the changelog entry
diff -Nru virtualbox-guest-additions-iso-4.3.18/debian/changelog
virtualbox-guest-additions-iso-4.3.36/debian/changelog
--- virtualbox-guest-additions-iso-4.3.18/debian/changelog 2015-03-26
11:39:19.000000000 +0100
+++ virtualbox-guest-additions-iso-4.3.36/debian/changelog 2016-07-16
13:19:14.000000000 +0200
@@ -1,3 +1,14 @@
+virtualbox-guest-additions-iso (4.3.36-1+deb8u1) jessie; urgency=medium
+
+ * New upstream bugfix release.
+ - Addressed CVE-2016-0592,
+ CVE-2016-0495, CVE-2015-8104,
+ CVE-2015-7183, CVE-2015-5307,
+ CVE-2015-7183, CVE-2015-4813,
+ CVE-2015-4896, CVE-2015-3456
+
+ -- Gianfranco Costamagna <[email protected]> Fri, 15 Jul 2016
18:11:50 +0200
+
virtualbox-guest-additions-iso (4.3.18-3) unstable; urgency=high
* Reuploading the previous package, the -2 got removed because of
Binary files
/tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.18.iso
and
/tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.18.iso
differ
Binary files
/tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.36.iso
and
/tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.36.iso
differ
cheers,
Gianfranco
Il Venerdì 15 Luglio 2016 20:25, Salvatore Bonaccorso <[email protected]> ha
scritto:
Hi Gianfranco,
On Fri, Jul 15, 2016 at 04:10:38PM +0000, Gianfranco Costamagna wrote:
> Hi Security Team, a while ago we got virtualbox updated from 4.3.18
> to 4.3.36 as security > upload.
>
> This was a complete success, but now we have two "issues" 1) there
> is a mismatch between virtualbox and virtualbox-guest-additions-iso
> packages (this isn't a big issue, since it is just a warning)
>
>
> 2) the guest-additions-iso package is an iso file that contains some
> source code (from virtualbox) and builds kernel modules and some
> tools used in the guest machines.
>
> I don't know, but it might be affected by some/many of the same CVEs
> that we fixed in virtualbox, so I think it is a sane idea to have a
> security upload also for this package.
>
> What is your opinion? I can upload a 4.3.36 in a few minutes if
> needed, it is just a matter of packing an iso and creating a
> changelog entry.
The package beeing non-free in all supported suites is not really
supported via security.d.o. Could you contact the stable release
managers to have an update sheduled via a point release?
Cf.
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
Regards,
Salvatore
debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Version: 8.11
Hi,
The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).
Regards,
Adam
--- End Message ---