Discuss the 5.2.22 release

This is for discussing general topics about how to use VirtualBox.

Discuss the 5.2.22 release

Postby michael » 9. Nov 2018, 13:09

Discuss the 5.2.22 release here.
You can download the release here.
Mainly a regression-fix release for 5.2.20.
michael
Oracle Corporation
 
Posts: 683
Joined: 10. May 2007, 09:46

Re: Discuss the 5.2.22 release

Postby mooninite » 9. Nov 2018, 20:37

Does this release contain any update to the Intel NICs and NAT security issue announced on websites a few days ago?
mooninite
 
Posts: 16
Joined: 17. Jan 2008, 05:50
Primary OS: Fedora other
VBox Version: OSE Fedora
Guest OSses: RHEL, SuSE, SCO OpenServer, Windows XP

Re: Discuss the 5.2.22 release

Postby socratis » 9. Nov 2018, 21:38

@mooninite
The first rule of Fight Club is: you do not talk about Fight Club.
The second rule of Fight Club is: you DO NOT talk about Fight Club!
    Tyler Durden, 1999

;)
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Discuss the 5.2.22 release

Postby Jacob Klein » 11. Nov 2018, 00:10

Not gonna lie ... that response is a bit insulting. Let's not trivialize the question, please.
I too came here for a proper answer. Can we have one, please?

Here's what I've found so far about the problem:
https://www.zdnet.com/article/virtualbox-zero-day-published-by-disgruntled-researcher/
https://github.com/MorteNoir1/virtualbox_e1000_0day
Jacob Klein
 
Posts: 649
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Postby socratis » 11. Nov 2018, 12:12

Let's put our collective thinking together, shall we?
A 0-day exploit is published. Even my local channel had a report on it. Two days later a new release comes out...

What could be considered as insulting, is the lack of common sense. Methinks...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Discuss the 5.2.22 release

Postby Martin » 11. Nov 2018, 13:46

The researcher complains that https://www.virtualbox.org/ticket/16444 "was never considered a security vulnerability".
Looking a the provided information in the ticket I'm not very surprised about it...
Martin
Volunteer
 
Posts: 2517
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Linux, OS/2

Re: Discuss the 5.2.22 release

Postby Jacob Klein » 11. Nov 2018, 14:37

So, is it fixed or not? It's a pretty simple question.
If the question is inappropriate or unanswerable due to policy, then please explicitly say so.

I'm having a difficult time trying to parse your non-answers.
Jacob Klein
 
Posts: 649
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Postby Jacob Klein » 11. Nov 2018, 14:42

I found this, where the researcher indicates that .22 does contain the fix.
https://github.com/MorteNoir1/virtualbox_e1000_0day/issues/12
Jacob Klein
 
Posts: 649
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Postby michael » 12. Nov 2018, 10:50

Speaking as one of the developers - the rule at Oracle (what Socratis paraphrased) is that only certain people are allowed to comment publicly on security issues at all. I am not one of those people, and I don't think there are any on our team. So we are not even allowed to say that there was a security fix; all public information is in the Oracle critical patch update information[1]. And what happened between October and January will presumably be in the January one. You may think what you want about this policy of course; since I am working for Oracle I follow Oracle policy.

[1] https://www.oracle.com/technetwork/secu ... 28296.html
michael
Oracle Corporation
 
Posts: 683
Joined: 10. May 2007, 09:46

Re: Discuss the 5.2.22 release

Postby Jacob Klein » 12. Nov 2018, 14:47

Thank you Michael. That does make it clearer. While I'm not sure if I agree with the policy, it is helpful to know that responses are limited by policy. Prior responses in this thread were not clear, to me.

I also found this, which lists all the Critical Patch Updates (CPUs), including prior ones:
https://www.oracle.com/technetwork/topics/security/alerts-086861.html
Jacob Klein
 
Posts: 649
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Postby EdT » 16. Nov 2018, 13:04

I never understand why companies are so reluctant to be open about critical fixes. All software companies make them, and kudos to those who are honest.
It seems that asking questions here, when Oracle obfuscate things all the time, is also a trigger for rudeness by some people.
Anyway, I have received an answer to my original question so I leave happy.
Thanks
Ed
EdT
 
Posts: 2
Joined: 15. Nov 2018, 14:54

Re: Discuss the 5.2.22 release

Postby johnst1e » 11. Dec 2018, 20:24

I just upgraded from 5.2.18 to 5.2.22 and now the video playback leads the audio by about 1 second in all my guests. Is it just me or do others have this problem?
I have a Win 10 64bit host and Slitaz, Debian, Lubuntu, Ubuntu guests and now when I play a youtube video the audio is out of sync in all my guests.
johnst1e
 
Posts: 1
Joined: 11. Dec 2018, 20:17

Re: Discuss the 5.2.22 release

Postby socratis » 11. Dec 2018, 21:43

johnst1e wrote:now the video playback leads the audio by about 1 second in all my guests

I've seen a couple of reports about that 1 second delay. Nothing easily reproducible. And I don't mean reproducible by you, but by other people... ;)
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Discuss the 5.2.22 release

Postby zdamienr » 22. Jan 2019, 20:09

I didn't pin it down to a 1 second delay, but I did notice recently that a Youtube video is out of sync (video and audio don't match) when played within Virtualbox.

Host: Windows 10, up to date.
Guest: Arch Linux, up to date apart from freezing virtualbox packages at 5.2.22, using ALSA and not PulseAudio. Firefox 64.0.2.
Also happens in Chromium 71.0.something. And yeah, the audio starting a second or two slow looks like a good description.
Virtualbox: 5.2.22, appropriate Guest Extensions installed

.
zdamienr
 
Posts: 1
Joined: 22. Jan 2019, 20:01

Re: Discuss the 5.2.22 release

Postby Peter15NTl » 15. Mar 2019, 12:33

Regarding the vulnerability: can a malware or script exit a virtual machine and get full rights on a host in a limited-access host account? i.e., is it safe to work with limited rights in a host in a system with virtual box of old versions? And are version 5.1.xx affected?
Peter15NTl
 
Posts: 78
Joined: 20. Jan 2017, 17:41


Return to Using VirtualBox

Who is online

Users browsing this forum: No registered users and 7 guests