lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4BB4F561.3030409@vmware.com>
Date: Thu, 01 Apr 2010 12:34:57 -0700
From: VMware Security Team <security@...are.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: VMSA-2010-0006 ESX Service Console updates for samba and acpid

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0006
Synopsis:          ESX Service Console updates for samba and acpid
Issue date:        2010-04-01
Updated on:        2010-04-01 (initial release of advisory)
CVE numbers:       CVE-2009-2906, CVE-2009-1888, CVE-2009-2813,
                   CVE-2009-2948, CVE-2009-0798

- ------------------------------------------------------------------------

1. Summary

   ESX Service Console updates for samba and acpid packages.

2. Relevant releases

   VMware ESX 4.0.0 without patch ESX400-201003405-SG,
                                  ESX400-201003403-SG
   Notes:

   Effective May 2010, VMware's patch and update release program during
   Extended Support will be continued with the condition that all
   subsequent patch and update releases will be based on the latest
   baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
   ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
   "End of Product Availability FAQs" at
   http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
   details.

   Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
   to upgrade to at least ESX 3.0.3 Update 1 and preferably to the
   newest release available.

   Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
   to upgrade to at least ESX 3.5 Update 5 and preferably to the newest
   release available.

3. Problem Description

 a. Service Console update for samba to 3.0.33-3.15.el5_4.1

    This update changes the samba packages to
    samba-client-3.0.33-3.15.el5_4.1 and
    samba-common-3.0.33-3.15.el5_4.1. These versions include fixes for
    security issues that were first fixed in
    samba-client-3.0.33-0.18.el4_8 and samba-common-3.0.33-0.18.el4_8.
     
    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the names CVE-2009-2906, CVE-2009-1888,CVE-2009-2813
    and CVE-2009-2948 to these issues.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201003405-SG
    ESX            3.5       ESX      patch pending
    ESX            3.0.3     ESX      patch pending
    ESX            2.5.5     ESX      patch pending

    vMA            4.0       RHEL5    patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. Service Console update for acpid to1.0.4-9.el5_4.2
 
    This updates changes the the acpid package to acpid-1.0.4-9.el5_4.2.
    This version includes the fix for a security issue that was first
    fixed in acpid-1.0.4-7.el5_4.1.  

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-0798 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201003403-SG
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 4.0
   -------
 
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-195-20100324-069
238/ESX400-201003001.zip
   md5sum: c7c0f287d5728289fe2903be48d8d501
   sha1sum: d90badd89247ccc96a02001b6d697bf39fad9e7c
   http://kb.vmware.com/kb/1019833

   Note: ESX400-201003001 contains the following security bulletins
   ESX400-201003403-SG, and ESX400-201003405-SG

   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle ESX400-201003403.zip -b ESX400-201003405-SG update


5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2948
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0798

- ------------------------------------------------------------------------
6. Change log

2010-04-01  VMSA-2010-0006
Initial security advisory after release of bulletins for ESX 4.0
on 2010-04-01.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFLtPVKS2KysvBH1xkRAr7QAJ9fmOGXceihgXteCto/P0/N4FOYpQCeNU+6
9mPchO6g2qdEqzK4oDoGbl8=
=focv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ