Get the lowest-cost and the best server colocation service in the business. Learn more.
Information Technology News.


Oracle keeps the details of its security patches a secret, a bit like Microsoft

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

September 15, 2015

Microsoft isn't the only software giant that keeps a lid on the amount of information it releases on its monthly security patches.

Oracle is also keeping the details of its security patches for its VirtualBox hypervisor application a big secret, members of the Debian Linux team pointed out this week.

In July of this year, Oracle made available a large list of security updates for its products, including new features in its VirtualBox.

It also included a fix for a security vulnerability in the application labeled CVE-2015-2594.

All we were told at the time about the security flaw was that it involves guest OSes using bridged networking over Wi-Fi, and affects versions prior to 4.3.30 on Windows, Linux and Mac OS X hosts.

Gianfranco Costamagna, one of the team member who packages VirtualBox for GNU/Linux Debian users, asked the VBox developers for more info, or at least a separate patch for just the security side of the update at the time, but he never got a response from Oracle.

On Sunday this week, Linux users decided it was time to push out Oracle's updates for VirtualBox. The hypervisor software is mostly open source, but it's not clear in among all the other changes and new features in the software where the security vulnerability fix lies.

We've tried different versions of the source code, and nothing has jumped out. Ideally, having the security patch identified means that people can access how dangerous the flaw is and also apply the patch to stable versions of VirtualBox for people who just want security fixes and no more new features.

"This security update fixes an unspecified security issue in VirtualBox related to guests using bridged networking via Wi-Fi," Debian's Moritz Muehlenhoff wrote in an advisory on Sunday about the VirtualBox package update.

"Oracle no longer provides information on specific security vulnerabilities in VirtualBox. To still support users of the already released Debian releases, we've decided to update these to the respective 4.1.40 and 4.3.30 bugfix releases," the company said.

Muehlenhoff said its latest batch of software updates was so vague it's impossible to tell exactly what has been fixed in the code.

We understand that Oracle keeps a lid on the security patches it issues for other open-source code it maintains, but has until now been more open about VirtualBox security vulnerabilities.

A spokesperson for Oracle did not return our request for comment. In August, the database behemoth had a huge argument with its chief security officer after she posted on blogs.oracle.com a rant against reverse-engineering.

Source: Oracle.

Get the most dependable SMTP server for your company.

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.