Discuss the 5.2.22 release
Discuss the 5.2.22 release
Discuss the 5.2.22 release here.
You can download the release here.
Mainly a regression-fix release for 5.2.20.
You can download the release here.
Mainly a regression-fix release for 5.2.20.
-
- Posts: 16
- Joined: 17. Jan 2008, 05:50
- Primary OS: Fedora other
- VBox Version: OSE Fedora
- Guest OSses: RHEL, SuSE, SCO OpenServer, Windows XP
Re: Discuss the 5.2.22 release
Does this release contain any update to the Intel NICs and NAT security issue announced on websites a few days ago?
-
- Site Moderator
- Posts: 27330
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Discuss the 5.2.22 release
@mooninite
The first rule of Fight Club is: you do not talk about Fight Club.
The second rule of Fight Club is: you DO NOT talk about Fight Club!
- Tyler Durden, 1999
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Posts: 696
- Joined: 20. Nov 2013, 01:07
Re: Discuss the 5.2.22 release
Not gonna lie ... that response is a bit insulting. Let's not trivialize the question, please.
I too came here for a proper answer. Can we have one, please?
Here's what I've found so far about the problem:
https://www.zdnet.com/article/virtualbo ... esearcher/
https://github.com/MorteNoir1/virtualbox_e1000_0day
I too came here for a proper answer. Can we have one, please?
Here's what I've found so far about the problem:
https://www.zdnet.com/article/virtualbo ... esearcher/
https://github.com/MorteNoir1/virtualbox_e1000_0day
-
- Site Moderator
- Posts: 27330
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Discuss the 5.2.22 release
Let's put our collective thinking together, shall we?
A 0-day exploit is published. Even my local channel had a report on it. Two days later a new release comes out...
What could be considered as insulting, is the lack of common sense. Methinks...
A 0-day exploit is published. Even my local channel had a report on it. Two days later a new release comes out...
What could be considered as insulting, is the lack of common sense. Methinks...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Volunteer
- Posts: 2560
- Joined: 30. May 2007, 18:05
- Primary OS: Fedora other
- VBox Version: PUEL
- Guest OSses: XP, Win7, Win10, Linux, OS/2
Re: Discuss the 5.2.22 release
The researcher complains that https://www.virtualbox.org/ticket/16444 "was never considered a security vulnerability".
Looking a the provided information in the ticket I'm not very surprised about it...
Looking a the provided information in the ticket I'm not very surprised about it...
-
- Posts: 696
- Joined: 20. Nov 2013, 01:07
Re: Discuss the 5.2.22 release
So, is it fixed or not? It's a pretty simple question.
If the question is inappropriate or unanswerable due to policy, then please explicitly say so.
I'm having a difficult time trying to parse your non-answers.
If the question is inappropriate or unanswerable due to policy, then please explicitly say so.
I'm having a difficult time trying to parse your non-answers.
-
- Posts: 696
- Joined: 20. Nov 2013, 01:07
Re: Discuss the 5.2.22 release
I found this, where the researcher indicates that .22 does contain the fix.
https://github.com/MorteNoir1/virtualbo ... /issues/12
https://github.com/MorteNoir1/virtualbo ... /issues/12
Re: Discuss the 5.2.22 release
Speaking as one of the developers - the rule at Oracle (what Socratis paraphrased) is that only certain people are allowed to comment publicly on security issues at all. I am not one of those people, and I don't think there are any on our team. So we are not even allowed to say that there was a security fix; all public information is in the Oracle critical patch update information[1]. And what happened between October and January will presumably be in the January one. You may think what you want about this policy of course; since I am working for Oracle I follow Oracle policy.
[1] https://www.oracle.com/technetwork/secu ... 28296.html
[1] https://www.oracle.com/technetwork/secu ... 28296.html
-
- Posts: 696
- Joined: 20. Nov 2013, 01:07
Re: Discuss the 5.2.22 release
Thank you Michael. That does make it clearer. While I'm not sure if I agree with the policy, it is helpful to know that responses are limited by policy. Prior responses in this thread were not clear, to me.
I also found this, which lists all the Critical Patch Updates (CPUs), including prior ones:
https://www.oracle.com/technetwork/topi ... 86861.html
I also found this, which lists all the Critical Patch Updates (CPUs), including prior ones:
https://www.oracle.com/technetwork/topi ... 86861.html
Re: Discuss the 5.2.22 release
I never understand why companies are so reluctant to be open about critical fixes. All software companies make them, and kudos to those who are honest.
It seems that asking questions here, when Oracle obfuscate things all the time, is also a trigger for rudeness by some people.
Anyway, I have received an answer to my original question so I leave happy.
Thanks
Ed
It seems that asking questions here, when Oracle obfuscate things all the time, is also a trigger for rudeness by some people.
Anyway, I have received an answer to my original question so I leave happy.
Thanks
Ed
Re: Discuss the 5.2.22 release
I just upgraded from 5.2.18 to 5.2.22 and now the video playback leads the audio by about 1 second in all my guests. Is it just me or do others have this problem?
I have a Win 10 64bit host and Slitaz, Debian, Lubuntu, Ubuntu guests and now when I play a youtube video the audio is out of sync in all my guests.
I have a Win 10 64bit host and Slitaz, Debian, Lubuntu, Ubuntu guests and now when I play a youtube video the audio is out of sync in all my guests.
-
- Site Moderator
- Posts: 27330
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Discuss the 5.2.22 release
I've seen a couple of reports about that 1 second delay. Nothing easily reproducible. And I don't mean reproducible by you, but by other people...johnst1e wrote:now the video playback leads the audio by about 1 second in all my guests
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Re: Discuss the 5.2.22 release
I didn't pin it down to a 1 second delay, but I did notice recently that a Youtube video is out of sync (video and audio don't match) when played within Virtualbox.
Host: Windows 10, up to date.
Guest: Arch Linux, up to date apart from freezing virtualbox packages at 5.2.22, using ALSA and not PulseAudio. Firefox 64.0.2.
Also happens in Chromium 71.0.something. And yeah, the audio starting a second or two slow looks like a good description.
Virtualbox: 5.2.22, appropriate Guest Extensions installed
.
Host: Windows 10, up to date.
Guest: Arch Linux, up to date apart from freezing virtualbox packages at 5.2.22, using ALSA and not PulseAudio. Firefox 64.0.2.
Also happens in Chromium 71.0.something. And yeah, the audio starting a second or two slow looks like a good description.
Virtualbox: 5.2.22, appropriate Guest Extensions installed
.
-
- Posts: 78
- Joined: 20. Jan 2017, 17:41
Re: Discuss the 5.2.22 release
Regarding the vulnerability: can a malware or script exit a virtual machine and get full rights on a host in a limited-access host account? i.e., is it safe to work with limited rights in a host in a system with virtual box of old versions? And are version 5.1.xx affected?