{"id":"MGASA-2018-0437","summary":"Updated virtualbox packages fix security vulnerabilities","details":"This update provides virtualbox 5.2.20 and fixes the following security\nvulnerabilities:\n\nDuring key agreement in a TLS handshake using a DH(E) based ciphersuite\na malicious server can send a very large prime value to the client. This\nwill cause the client to spend an unreasonably long period of time\ngenerating a key for this prime resulting in a hang until the client has\nfinished. This could be exploited in a Denial Of Service attack\n(CVE-2018-0732).\n\nVulnerability in VirtualBox contains an easily exploitable vulnerability\nthat allows unauthenticated attacker with logon to the infrastructure\nwhere VirtualBox executes to compromise VirtualBox. Successful attacks\nrequire human interaction from a person other than the attacker and while\nthe vulnerability is in VirtualBox, attacks may significantly impact\nadditional products. Successful attacks of this vulnerability can result\nin takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288,\nCVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293,\nCVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).\n\nVulnerability in VirtualBox contains an easily exploitable vulnerability\nthat allows unauthenticated attacker with llow privileged attacker with\nnetwork access via VRDP to compromise VirtualBox. Successful attacks\nrequire human interaction from a person other than the attacker and while\nthe vulnerability is in VirtualBox, attacks may significantly impact\nadditional products. Successful attacks of this vulnerability can result\nin takeover of VirtualBox (CVE-2018-3294).\n\nFor other fixes in this update, see the referenced changelog.\n","modified":"2026-02-04T04:24:22.192871Z","published":"2018-11-03T11:55:18Z","related":["CVE-2018-0732","CVE-2018-2909","CVE-2018-3287","CVE-2018-3288","CVE-2018-3289","CVE-2018-3290","CVE-2018-3291","CVE-2018-3292","CVE-2018-3293","CVE-2018-3294","CVE-2018-3295","CVE-2018-3296","CVE-2018-3297","CVE-2018-3298"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0437.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23719"},{"type":"REPORT","url":"https://www.virtualbox.org/wiki/Changelog#20"},{"type":"REPORT","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR"}],"affected":[{"package":{"name":"virtualbox","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/virtualbox?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.20-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0437.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.20-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0437.json"}},{"package":{"name":"kmod-vboxadditions","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/kmod-vboxadditions?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.20-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0437.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}