[Pkg-virtualbox-devel] Bug#794466: Virtualbox might not be suitable for Stretch

[Gianfranco Costamagna]

Hi Moritz,

>
>We'll have a security team meeting at DebConf and will discuss
>virtualbox as well.


following up on the DebConf discussion,
I did update vbox for wheezy and jessie, on
the respective braches on git (names with the codenames)
targeted -security.

http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git/log/?h=jessie
http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git/log/?h=wheezy

jessie is going from 4.3.18 to 4.3.30, while wheezy is going from 4.1.18 to 4.1.40

builds are also available from DebOMatic
http://debomatic-amd64.debian.net/distribution#oldstable/virtualbox/4.1.40-dfsg-1+deb7u1/lintian
http://debomatic-amd64.debian.net/distribution#stable/virtualbox/4.3.30-dfsg-1+deb8u1/buildlog


I tried to keep changes as minimal as possible, with just some patch refreshing and nothing more.
(and for changelogs, well, please tell me the best way to update it, because I honestly don't know)





I plan to do the same with virtualbox-ose and squeeze if you allow me too. (from 3.2.10 to 3.2.28).

I did some basic testing with both jessie and wheezy in that way.

1) Installed jessie on virtualbox.
2) Installed virtualbox inside the jessie VM (from apt)
3) installed Ubuntu vivid 32 bit in the virtualbox inside the VM
4) updated vbox with the DoM build
5) tested if the VM was still running correctly.

the same for wheezy, and all the testing were successful.

let me know if something is blocking the uploads, or if I can do them by myself (I guess policy and the manual
doesn't allow DD to push on security directly).

I don't know exactly the CVE fixed but at least for 4.1.x and 4.3.x they should be covered ALL of them.

for vbox ose I guess CVE-2015-2594 will be left out, the only one we don't have a targeted patch from upstream.

cheers,

G.