Oracle keeps the details of its security patches a secret, a bit like Microsoft
Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
September 15, 2015
Microsoft isn't the only software giant that keeps a lid on the amount of information it
releases on its monthly security patches.
Oracle is also keeping the details of its security patches for its VirtualBox hypervisor
application a big secret, members of the Debian Linux team pointed out this week.
In July of this year, Oracle made available a large list of security updates for its products, including
new features in its VirtualBox.
It also included a fix for a security vulnerability in the application labeled CVE-2015-2594.
All we were told at the time about the security flaw was that it involves guest OSes using
bridged networking over Wi-Fi, and affects versions prior to 4.3.30 on Windows, Linux and Mac
OS X hosts.
Gianfranco Costamagna, one of the team member who packages VirtualBox for GNU/Linux Debian users,
asked the VBox developers for more info, or at least a separate patch for just the security side of
the update at the time, but he never got a response from Oracle.
On Sunday this week, Linux users decided it was time to push out Oracle's updates for VirtualBox.
The hypervisor software is mostly open source, but it's not clear in among all the other changes and
new features in the software where the security vulnerability fix lies.
We've tried different versions of the source code, and nothing has jumped out. Ideally, having the security
patch identified means that people can access how dangerous the flaw is and also apply the patch
to stable versions of VirtualBox for people who just want security fixes and no more new features.
"This security update fixes an unspecified security issue in VirtualBox related to guests using
bridged networking via Wi-Fi," Debian's Moritz Muehlenhoff wrote in an advisory on Sunday about the
VirtualBox package update.
"Oracle no longer provides information on specific security vulnerabilities in VirtualBox. To
still support users of the already released Debian releases, we've decided to update these to the
respective 4.1.40 and 4.3.30 bugfix releases," the company said.
Muehlenhoff said its latest batch of software updates was so vague it's impossible to tell
exactly what has been fixed in the code.
We understand that Oracle keeps a lid on the security patches it issues for other open-source
code it maintains, but has until now been more open about VirtualBox security vulnerabilities.
A spokesperson for Oracle did not return our request for comment. In August, the database behemoth
had a huge argument with its chief security officer after she posted on blogs.oracle.com a rant
Get the most dependable SMTP server for your company.
Share on Twitter.