<<< Date Index >>>     <<< Thread Index >>>

VMSA-2008-0013 Updated ESX packages for OpenSSL, net-snmp, perl



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID:       VMSA-2008-0013
Synopsis:          Updated ESX packages for OpenSSL, net-snmp, perl
Issue date:        2008-08-12
Updated on:        2008-08-12 (initial release of advisory)
CVE numbers:       CVE-2007-3108, CVE-2007-5135, CVE-2008-2292,
                  CVE-2008-0960, CVE-2008-1927
- ------------------------------------------------------------------------

1. Summary

  Updated ESX packages for OpenSSL, net-snmp, perl.

2. Relevant releases

  ESX 3.0.2
  ESX 3.0.1

  Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on
  2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1
  and preferably the newest release available.

3. Problem Description

I Security Issues

  a. OpenSSL Binaries Updated

  This fix updates the third party OpenSSL library.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)
  has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
  addressed by this update.

  VMware         Product   Running  Replace with/
  Product        Version   on       Apply Patch
  =============  ========  =======  =================
  VirtualCenter  any       Windows  affected, patch pending

  hosted *       any       any      for patch info see VMSA-2008-0005

  ESXi           3.5       ESXi     affected, patch pending

  ESX            3.5       ESX      for patch info see VMSA-2008-0001
  ESX            3.0.3     ESX      not affected
  ESX            3.0.2     ESX      affected, patch pending
  ESX            3.0.1     ESX      affected, patch pending
  ESX            2.5.5     ESX      for patch info see VMSA-2008-0001
  ESX            2.5.4     ESX      for patch info see VMSA-2008-0001

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion

II Service Console rpm updates

  a. net-snmp Security update
This fix upgrades the service console rpm for net-snmp to version
  net-snmp-5.0.9-2.30E.24.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)
  has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues
  addressed in this update.

  VMware         Product   Running  Replace with/
  Product        Version   on       Apply Patch
  =============  ========  =======  =================
  VirtualCenter  any       Windows  not applicable

  hosted *       any       any      not applicable

  ESXi           3.5       ESXi     not applicable

  ESX            3.5       ESX      affected, patch pending
  ESX            3.0.3     ESX      not affected
  ESX            3.0.2     ESX      affected, patch pending
  ESX            3.0.1     ESX      affected, patch pending
  ESX            2.5.5     ESX      not affected
  ESX            2.5.4     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion

  b. perl Security update
This fix upgrades the service console rpm for perl to version
  perl-5.8.0-98.EL3.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)
  has assigned the name CVE-2008-1927 to the issue addressed by this
  update.

  VMware         Product   Running  Replace with/
  Product        Version   on       Apply Patch
  =============  ========  =======  =================
  VirtualCenter  any       Windows  not applicable

  hosted *       any       any      not applicable

  ESXi           3.5       ESXi     not applicable

  ESX            3.5       ESX      affected, patch pending
  ESX            3.0.3     ESX      not affected
  ESX            3.0.2     ESX      affected, patch pending
  ESX            3.0.1     ESX      affected, patch pending
  ESX            2.5.5     ESX      not affected
  ESX            2.5.4     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion

4. Solution

  Please review the patch/release notes for your product and version
  and verify the md5sum of your downloaded file.

  ESX
  ---
  ESX 3.0.3 build 104629
  ESX Server 3.0.3 CD image
  md5sum: c2cda9242c6981c7eba1004e8fc5626d
  Upgrade package from ESX Server 2.x to ESX Server 3.0.3
  md5sum: 0ad8fa4707915139d8b2343afebeb92b
  Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
  md5sum: ff7f3dc12d34b474b231212bdf314113
  release notes:
  http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html
5. References

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927

- ------------------------------------------------------------------------
6. Change log

2008-08-12 VMSA-2008-0013 Initial release following release of ESX 3.0.3.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

 * security-announce at lists.vmware.com
 * bugtraq at securityfocus.com
 * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFIodJwS2KysvBH1xkRAgrWAJ9cn6ruj4OXil0GOS7Jz17wJD/zPQCeK+h3
mBcqM+lPuzUdUgzqxgZ6NNM=
=J68B
-----END PGP SIGNATURE-----