Package: virtualbox
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for virtualbox.

CVE-2025-53024[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).


CVE-2025-53025[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in unauthorized access to critical
| data or complete access to all Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).


CVE-2025-53026[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in unauthorized access to critical
| data or complete access to all Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).


CVE-2025-53027[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).


CVE-2025-53028[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).


CVE-2025-53029[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. Successful
| attacks of this vulnerability can result in unauthorized read
| access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1
| Base Score 2.3 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).


CVE-2025-53030[6]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version that is
| affected is 7.1.10. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change). Successful attacks of
| this vulnerability can result in unauthorized access to critical
| data or complete access to all Oracle VM VirtualBox accessible data.
| CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-53024
https://www.cve.org/CVERecord?id=CVE-2025-53024
[1] https://security-tracker.debian.org/tracker/CVE-2025-53025
https://www.cve.org/CVERecord?id=CVE-2025-53025
[2] https://security-tracker.debian.org/tracker/CVE-2025-53026
https://www.cve.org/CVERecord?id=CVE-2025-53026
[3] https://security-tracker.debian.org/tracker/CVE-2025-53027
https://www.cve.org/CVERecord?id=CVE-2025-53027
[4] https://security-tracker.debian.org/tracker/CVE-2025-53028
https://www.cve.org/CVERecord?id=CVE-2025-53028
[5] https://security-tracker.debian.org/tracker/CVE-2025-53029
https://www.cve.org/CVERecord?id=CVE-2025-53029
[6] https://security-tracker.debian.org/tracker/CVE-2025-53030
https://www.cve.org/CVERecord?id=CVE-2025-53030

Please adjust the affected versions in the BTS as needed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Thu, 17 Jul 2025 22:12:00 +0200
with message-id <aHlZENwUPg15yUAX@eldamar.lan>
and subject line Re: Accepted virtualbox 7.1.12-dfsg-1 (source) into unstable has caused the Debian Bug report #1109373,
regarding virtualbox: CVE-2025-53024 CVE-2025-53025 CVE-2025-53026 CVE-2025-53027 CVE-2025-53028 CVE-2025-53029 CVE-2025-53030
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1109373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 16 Jul 2025 09:08:00 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
(2024-03-25) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-14.9 required=4.0 tests=BAYES_00,
BODY_INCLUDES_PACKAGE,FOURLA,HAS_PACKAGE,
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 35; hammy, 148; neutral, 41; spammy,
2. spammytokens:0.979-+--products, 0.918-+--confidentiality
hammytokens:0.000-+--UD:security-tracker.debian.org,
0.000-+--security-tracker.debian.org,
0.000-+--securitytrackerdebianorg, 0.000-+--H*r:jmm,
0.000-+--H*M:westfalen
Return-path: <jmm@inutil.org>
Received: from vps-b7ad3695.vps