lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 5 Dec 2013 22:14:54 -0700
From: Edward Hawkins <security@...are.com>
To: "security@...are.com Response Center" <security@...are.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: NEW VMSA-2013-0015 VMware ESX updates to third
	party libraries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              VMware Security Advisory

Advisory ID:  VMSA-2013-0015
Synopsis:     VMware ESX updates to third party libraries
Issue date:   2013-12-05
Updated on:   2013-12-05 (initial release)
CVE numbers:  --- kernel (service console) ---
              CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164,
              CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237,
              CVE-2013-2232
              --- nss and nspr (service console) ---
              CVE-2013-0791, CVE-2013-1620
- -------------------------------------------------------------------------
1. Summary

   VMware has updated several third party libraries in ESX that address 
   multiple security vulnerabilities.

2. Relevant releases

   VMware ESX 4.1 without patch ESX410-201312001

3. Problem Description

      a. Update to ESX service console kernel

      The ESX service console kernel is updated to resolve multiple
      security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
      CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, 
      CVE-2013-2237, CVE-2013-2232 to these issues.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201312401-SG
        ESX             4.0       ESX      patch pending 

      b. Update to ESX service console NSPR and NSS

      This patch updates the ESX service console Netscape Portable 
      Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve
      multiple security issues. 

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2013-0791 and CVE-2013-1620 to these 
      issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201312403-SG
        ESX             4.0       ESX      patch pending 

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   ESX 4.1
   -------
   File: ESX410-201312001.zip
   md5sum: c35763a84db169dd0285442d4129cc18
   sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
   http://kb.vmware.com/kb/2061209
   ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG.

5. References

   --- kernel (service console) ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232

   --- NSPR and NSS (service console) ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620

- -------------------------------------------------------------------------

6. Change log

   2013-12-05 VMSA-2013-0015
   Initial security advisory in conjunction with the release of ESX 4.1
   patches on 2013-12-05.

- -------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * full-disclosure at lists.grok.org.uk

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html

   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html

   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html

   Copyright 2013 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlKhXU4ACgkQDEcm8Vbi9kNX/gCg14tA1XgGuYp9bm2UFjec9I/Z
FIEAn0TKmueBwb03NQ1ZMkayBgrrTrz1
=9TBm
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists