lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4CE23916.7070507@vmware.com>
Date: Mon, 15 Nov 2010 23:56:06 -0800
From: VMware Security team <security@...are.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: VMSA-2010-0016 VMware ESXi and ESX third party updates for Service
 Console and Likewise components

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0016
Synopsis:          VMware ESXi and ESX third party updates for Service
                   Console and Likewise components
Issue date:        2010-11-15
Updated on:        2010-11-15 (initial release of advisory)
CVE numbers:       CVE-2010-0415 CVE-2010-0307 CVE-2010-0291
                   CVE-2010-0622 CVE-2010-1087 CVE-2010-1437
                   CVE-2010-1088 CVE-2009-0844 CVE-2009-0845
                   CVE-2009-0846 CVE-2009-4212 CVE-2010-1321
- ------------------------------------------------------------------------

1. Summary

   ESX Service Console OS (COS) kernel update, and Likewise packages
   updates.

2. Relevant releases
   VMware ESXi 4.1 without patch ESXi410-201010401-SG

   VMware ESX 4.1 without patches ESX410-201010401-SG,
   ESX410-201010419-SG

3. Problem Description

 a. Service Console OS update for COS kernel

    This patch updates the service console kernel to fix multiple
    security issues.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-0415, CVE-2010-0307,
    CVE-2010-0291, CVE-2010-0622, CVE-2010-1087, CVE-2010-1437, and
    CVE-2010-1088 to these issues.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      ESX410-201010401-SG
    ESX            4.0       ESX      patch pending
    ESX            3.x       ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Fusion.

 b. Likewise package updates

    Updates to the likewisekrb5, likewiseopenldap, likewiseopen,
    and pamkrb5 packages address several security issues.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-0844, CVE-2009-0845,
    CVE-2009-0846, CVE-2009-4212, and CVE-2010-1321 to these issues.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           4.1       ESXi     ESXi410-201010401-SG
    ESXi           4.0       ESXi     not affected

    ESX            4.1       ESX      ESX410-201010419-SG
    ESX            4.0       ESX      not applicable
    ESX            3.x       ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESXi 4.1
   --------
   ESXi410-201010401-SG
   Download link: http://bit.ly/bb3xjV
   md5sum: 05f1049c7a595481cd682e92fe8d3285
   sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76
   http://kb.vmware.com/kb/1027753

   ESX 4.1
   -------
   ESX410-201010001
   Download link: http://bit.ly/a3Ffw8
   md5sum: ff4435fd3c74764f064e047c6e5e7809
   sha1sum: 322981f4dbb9e5913c8f38684369444ff7e265b3
   http://kb.vmware.com/kb/1027027

   ESX410-201010001 contains the following security bulletins:
   ESX410-201010401-SG (COS kernel) | http://kb.vmware.com/kb/1027013
   ESX410-201010419-SG (Likewise)   | http://kb.vmware.com/kb/1027026
   ESX410-201010404-SG (NSS)        | http://kb.vmware.com/kb/1027016
   ESX410-201010409-SG (tar)        | http://kb.vmware.com/kb/1027019
   ESX410-201010412-SG (Perl)       | http://kb.vmware.com/kb/1027022
   ESX410-201010413-SG (cpio)       | http://kb.vmware.com/kb/1027023
   ESX410-201010410-SG (cURL)       | http://kb.vmware.com/kb/1027020
   ESX410-201010401-SG (vmkernel64,
                           VMX, CIM)| http://kb.vmware.com/kb/1027013
   ESX410-201010414-SG
             (vmware-esx-pam-config)| http://kb.vmware.com/kb/1027024
   ESX410-201010402-SG (GnuTLS, NSS,
                        and openSSL)| http://kb.vmware.com/kb/1027014

   ESX410-201010001 also contains the following non-security bulletins
   ESX410-201010405-BG ESX410-201010415-BG

   To install an individual bulletin use esxupdate with the -b option.

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0291
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0622
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1087
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1088
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321

- ------------------------------------------------------------------------

6. Change log

2010-11-15  VMSA-2010-0016
Initial security advisory after release of patches for ESX 4.1
on 2010-11-15

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisoiries

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkziORMACgkQS2KysvBH1xlJWgCffEWdIT5/yCFltNx3UVpVxE3w
V6AAn1LAO7JObXN5hLYOnWVRGquBCzYM
=gLN2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ