lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4CFDFE5A.3090502@vmware.com>
Date: Tue, 07 Dec 2010 01:28:58 -0800
From: VMware Security Team <security@...are.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: VMSA-2010-0019 VMware ESX third party updates for Service Console

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0019
Synopsis:          VMware ESX third party updates for Service Console
Issue date:        2010-12-07
Updated on:        2010-12-07
CVE numbers:       CVE-2010-3069 CVE-2010-0405 CVE-2009-0590
                   CVE-2009-2409 CVE-2009-3555
- ------------------------------------------------------------------------

1. Summary

   ESX 3.x Console OS (COS) updates for samba, bzip2, and openssl
   packages.

2. Relevant releases

   VMware ESX 3.5 without patches ESX350-201012408-SG,
   ESX350-201012409-SG, ESX350-201012401-SG

   Notes:
   Effective May 2010, VMware's patch and update release program during
   Extended Support will be continued with the condition that all
   subsequent patch and update releases will be based on the latest
   baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
   ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
   "End of Product Availability FAQs" at
   http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
   details.

   Extended support for ESX 3.0.3 ends on 2011-12-10.  Users should plan
   to upgrade to at least ESX 3.5 and preferably to the newest release
   available.

3. Problem Description

 a. Service Console update for samba

    The service console package samba is updated to version
    3.0.9-1.3E.18.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-3069 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      not applicable
    ESX            4.0       ESX      not applicable
    ESX            3.5       ESX      ESX350-201012408-SG
    ESX            3.0.3     ESX      affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. Service Console update for bzip2

    The service console package bzip2 updated to version
    1.0.2-14.EL3.
   
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-0405 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      affected, patch pending
    ESX            4.0       ESX      affected, patch pending
    ESX            3.5       ESX      ESX350-201012409-SG
    ESX            3.0.3     ESX      affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Service Console update for OpenSSL

    The service console package openssl updated to version
    0.9.7a-33.26.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-0590, CVE-2009-2409 and
    CVE-2009-3555 to the issues addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      not applicable
    ESX            4.0       ESX      not applicable
    ESX            3.5       ESX      ESX350-201012401-SG
    ESX            3.0.3     ESX      affected, no patch planned

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 3.5
   -------

   Samba
   http://download3.vmware.com/software/vi/ESX350-201012408-SG.zip
   md5sum: 53a427d5d2213c51d57e8e8f7e3d544c
   http://kb.vmware.com/kb/1029999
   
   bzip
   http://download3.vmware.com/software/vi/ESX350-201012409-SG.zip
   md5sum: 0a688d7153380fcb5d7ca0ac098e2d03
   http://kb.vmware.com/kb/1030000
   
   openssl
   http://download3.vmware.com/software/vi/ESX350-201012401-SG.zip
   md5sum: a8b1d9e4eabd14b6822bd1f8bf6dbf69
   http://kb.vmware.com/kb/1029993


5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3069
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

- ------------------------------------------------------------------------

6. Change log

2010-12-07  VMSA-2010-0019
Initial security advisory after release of patches for ESX 3.5
on 2010-12-07

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFM/f4zS2KysvBH1xkRAnf/AJ92iaWdMkFZqrc8it1+wGuNzhfN1ACfegvo
1g3OQEfuUNoDQXhCp3zHpw4=
=FmAq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ