This article is more than 1 year old

Hey, Oracle, what's in that VirtualBox security update? *crickets*

Debian team bit miffed about secretive vuln fixes in hypervisor software

It's not just Microsoft keeping schtum on exactly what's inside its software updates.

Oracle is keeping details of security patches for its VirtualBox hypervisor software a secret, members of the Debian team pointed out this week.

Back in July, Oracle emitted a big batch of updates for its products, including new features in VirtualBox and a fix for a vulnerability in the application labeled CVE-2015-2594. All we were told at the time about the bug was that it involves guest OSes using bridged networking over Wi-Fi, and affects versions prior to 4.3.30 on Windows, Linux and Mac OS X hosts.

Gianfranco Costamagna, one of the small team who packages VirtualBox for GNU/Linux Debian users, asked the VBox developers for more info – or at least a separate patch for just the security side of the update – at the time, but got no response.

On Sunday this week, the penguinistas decided it was time to push out Oracle's updates for VirtualBox. The hypervisor software is mostly open source, but it is not clear in among all the other changes and new features in the software where the vulnerability fix lies. We've tried diff'ing versions of the source code, and nothing has jumped out at us – let us know if you can home in on it.

Ideally, having the security patch identified means people can assess how dangerous the flaw is – and also apply the patch to stable versions of VirtualBox for people who just want security fixes and no more new features.

"This update fixes an unspecified security issue in VirtualBox related to guests using bridged networking via Wi-Fi," Debian's Moritz Muehlenhoff wrote in an advisory on Sunday about the VirtualBox package update.

"Oracle no longer provides information on specific security vulnerabilities in VirtualBox. To still support users of the already released Debian releases we've decided to update these to the respective 4.1.40 and 4.3.30 bugfix releases."

Muehlenhoff told The Reg Oracle's documentation for its latest batch of software updates was "so vague" it's impossible to tell exactly what has been fixed in the code.

We understand that Oracle keeps a lid on the security patches it issues for other open-source code it maintains, but has until now been more, well, open about VirtualBox vulnerabilities. A spokesperson for Oracle did not return our request for comment.

In August, the database giant threw its chief security officer under a bus after she posted, on blogs.oracle.com, a rant against reverse-engineering and bug bounties. ®

More about

TIP US OFF

Send us news


Other stories you might like