[Security-announce] UPDATED + VMSA-2008-0013.1 Updated ESX packages
for OpenSSL, net-snmp, perl
security-announce at lists.vmware.com
security-announce at lists.vmware.com
Tue Aug 26 16:36:02 PDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0013.1
Synopsis: Updated ESX packages for OpenSSL, net-snmp, perl
Issue date: 2008-08-12
Updated on: 2008-08-26
CVE numbers: CVE-2007-3108, CVE-2007-5135
- ------------------------------------------------------------------------
1. Summary
Updated ESX packages for OpenSSL.
2. Relevant releases
ESX 3.0.2
ESX 3.0.1
Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on
2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1
and preferably the newest release available.
3. Problem Description
I Security Issues
a. OpenSSL Binaries Updated
This fix updates the third party OpenSSL library.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
addressed by this update.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows affected, patch pending
hosted * any any for patch info see VMSA-2008-0005
ESXi 3.5 ESXi affected, patch pending
ESX 3.5 ESX for patch info see VMSA-2008-0001
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX affected, patch pending
ESX 3.0.1 ESX affected, patch pending
ESX 2.5.5 ESX for patch info see VMSA-2008-0001
ESX 2.5.4 ESX for patch info see VMSA-2008-0001
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
II Service Console rpm updates
a. net-snmp Security update
Previous communication stated that this fix upgrades the service
console rpm for net-snmp to version net-snmp-5.0.9-2.30E.24 on
ESX 3.0.3. However this update is not present in ESX 3.0.3 and
ESX 3.0.3 is shipping with net-snmp-5.0.9-2.30E.23.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues
addressed in net-snmp-5.0.9-2.30E.24.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not applicable
hosted * any any not applicable
ESXi 3.5 ESXi not applicable
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, patch pending
ESX 3.0.1 ESX affected, patch pending
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
b. perl Security update
Previous communication stated that this fix upgrades the service
console rpm for perl to version perl-5.8.0-98.EL3 on
ESX 3.0.3. However this update is not present in ESX 3.0.3 and
ESX 3.0.3 is shipping with perl-5.8.0-97.EL3.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-1927 to the issue addressed in
perl-5.8.0-98.EL3.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not applicable
hosted * any any not applicable
ESXi 3.5 ESXi not applicable
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, patch pending
ESX 3.0.1 ESX affected, patch pending
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX
---
ESX 3.0.3 build 104629
ESX Server 3.0.3 CD image
md5sum: c2cda9242c6981c7eba1004e8fc5626d
Upgrade package from ESX Server 2.x to ESX Server 3.0.3
md5sum: 0ad8fa4707915139d8b2343afebeb92b
Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
md5sum: ff7f3dc12d34b474b231212bdf314113
release notes:
http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927
- ------------------------------------------------------------------------
6. Change log
2008-08-12 VMSA-2008-0013
Initial release following release of ESX 3.0.3.
2008-08-26 VMSA-2008-0013.1
Corrected version information for the net-snmp and perl Service Console
rpms that are present in ESX 3.0.3 released on August 8. Previous
communication incorrectly stated that these rpms had been updated.
Updates for these rpms will be provided in an upcoming patch release.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFItJMQS2KysvBH1xkRAupBAJ9lHLx/t2SipNRgTprhrbvAeeHpfQCdH27U
evKGbV6loEplFPZKFaENzT0=
=oMwc
-----END PGP SIGNATURE-----
More information about the Security-announce
mailing list