[Security-announce] UPDATED VMSA-2008-0011.3 Updated ESX service console packages for Samba and vmnix
VMware Security Announcements
security-announce at lists.vmware.com
Thu Oct 30 23:35:26 PDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0011.3
Synopsis: Updated ESX service console packages for Samba
and vmnix
Issue date: 2008-07-28
Updated on: 2008-10-31
CVE numbers: CVE-2007-5001 CVE-2007-6151 CVE-2007-6206
CVE-2008-0007 CVE-2008-1367 CVE-2008-1375
CVE-2008-1669 CVE-2006-4814 CVE-2008-1105
- -------------------------------------------------------------------
1. Summary:
Updated ESX packages address several security issues.
2. Relevant releases:
VMware ESX 3.5 without patches ESX350-200806201-UG (vmnix) and
ESX350-200806218-UG (samba)
VMware ESX 3.0.2 without patch ESX-1006029
VMware ESX 3.0.1 without patch ESX-1006028
VMware ESX 2.5.5 before Upgrade Patch 10
VMware ESX 2.5.4 before Upgrade Patch 21
NOTE: Extended support (Security and Bug fixes) for ESX 3.0.2 ends
on 10/29/2008 and Extended support for ESX 3.0.2 Update 1
ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3
and preferably to the newest release available.
Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended
on 2008-07-31. The 3.0.1 patches are released in August because
there was no patch release in July.
3. Problem description:
I Service Console rpm updates
a. Security Update to Service Console Kernel
This fix upgrades service console kernel version to 2.4.21-57.EL.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5001, CVE-2007-6151, CVE-2007-6206,
CVE-2008-0007, CVE-2008-1367, CVE-2008-1375, CVE-2006-4814, and
CVE-2008-1669 to the security issues fixed in kernel-2.4.21-57.EL.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not applicable
hosted any any not applicable
ESXi 3.5 ESXi not applicable
ESX 3.5 ESX patch ESX350-200806201-UG
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX affected, no update planned
ESX 3.0.1 ESX affected, no update planned
ESX 2.5.5 ESX not applicable
ESX 2.5.4 ESX not applicable
b. Samba Security Update
This fix upgrades the service console rpm samba to version
3.0.9-1.3E.15vmw
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-1105 to this issue.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not applicable
hosted any any not applicable
ESXi 3.5 ESXi not applicable
ESX 3.5 ESX patch ESX350-200806218-UG
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX patch ESX-1006029
ESX 3.0.1 ESX patch ESX-1006028
ESX 2.5.5 ESX ESX 2.5.5 upgrade patch 10 or later
ESX 2.5.4 ESX ESX 2.5.4 upgrade patch 21
4. Solution:
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX 3.5 (Samba)
http://download3.vmware.com/software/esx/ESX350-200806218-UG.zip
md5sum: dfad21860ba24a6322b36041c0bc2a07
http://kb.vmware.com/kb/1005931
ESX 3.5 (vmnix)
http://download3.vmware.com/software/esx/ESX350-200806201-UG.zip
md5sum: 2888192905a6763a069914fcd258d329
http://kb.vmware.com/kb/1005894
ESX 3.0.3 build 104629
ESX Server 3.0.3 CD image
md5sum: c2cda9242c6981c7eba1004e8fc5626d
Upgrade package from ESX Server 2.x to ESX Server 3.0.3
md5sum: 0ad8fa4707915139d8b2343afebeb92b
Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
md5sum: ff7f3dc12d34b474b231212bdf314113
release notes:
http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html
ESX 3.0.2 patch ESX-1006029
http://download3.vmware.com/software/vi/ESX-1006029.tgz
md5sum: 08b81541304a3a8a612679e6a50aaa6c
http://kb.vmware.com/kb/1006029
ESX 3.0.1 patch ESX-1006028
http://download3.vmware.com/software/vi/ESX-1006028.tgz
md5sum: 81e7e5771354340805ba6fb94ac7115a
http://kb.vmware.com/kb/1006028
VMware ESX 2.5.5 Upgrade Patch 10
http://download3.vmware.com/software/esx/esx-2.5.5-119702-upgrade.tar.gz
md5sum: 2ee87cdd70b1ba84751e24c0bd8b4621
http://vmware.com/support/esx25/doc/esx-255-200810-patch.html
VMware ESX 2.5.4 Upgrade Patch 21
http://download3.vmware.com/software/esx/esx-2.5.4-119703-upgrade.tar.gz
md5sum: d791be525c604c852a03dd7df0eabf35
http://vmware.com/support/esx25/doc/esx-254-200810-patch.html
5. References:
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105
- -------------------------------------------------------------------
6. Change log:
2008-07-28 VMSA-2008-0011
Initial release
2008-08-12 VMSA-2008-0011.1
Added VMware ESX 3.0.3 released on 2008-08-08
2008-08-29 VMSA-2008-0011.2
Added VMware ESX 3.0.2, ESX 3.0.1 released on 2008-08-28
2008-10-31 VMSA-2008-0011.3
Added VMware ESX 2.5.4 and ESX 2.5.5 released on 2008-10-30
- ---------------------------------------------------------------------
7. Contact:
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFJCqcjS2KysvBH1xkRAsZiAJ9fwoiwAkri6gkCYsCs6t5ADonrdgCfW6cA
qUNrVEVEzsEk+gJGB1yTFww=
=UHej
-----END PGP SIGNATURE-----
More information about the Security-announce
mailing list