[Security-announce] VMSA-2008-0013 Updated ESX packages for OpenSSL, net-snmp, perl

security-announce at lists.vmware.com security-announce at lists.vmware.com
Tue Aug 12 09:54:31 PDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0013
Synopsis:          Updated ESX packages for OpenSSL, net-snmp, perl
Issue date:        2008-08-12
Updated on:        2008-08-12 (initial release of advisory)
CVE numbers:       CVE-2007-3108, CVE-2007-5135, CVE-2008-2292,
                   CVE-2008-0960, CVE-2008-1927
- ------------------------------------------------------------------------

1. Summary

   Updated ESX packages for OpenSSL, net-snmp, perl.

2. Relevant releases
 
   ESX 3.0.2
   ESX 3.0.1

   Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on
   2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1
   and preferably the newest release available.

3. Problem Description

 I Security Issues

   a. OpenSSL Binaries Updated

   This fix updates the third party OpenSSL library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
   addressed by this update.
 
   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  affected, patch pending

   hosted *       any       any      for patch info see VMSA-2008-0005
 
   ESXi           3.5       ESXi     affected, patch pending

   ESX            3.5       ESX      for patch info see VMSA-2008-0001
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      for patch info see VMSA-2008-0001
   ESX            2.5.4     ESX      for patch info see VMSA-2008-0001

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion
 
 II Service Console rpm updates

   a. net-snmp Security update
   
   This fix upgrades the service console rpm for net-snmp to version
   net-snmp-5.0.9-2.30E.24.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues
   addressed in this update.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted *       any       any      not applicable
 
   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      affected, patch pending
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      not affected
   ESX            2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

   b. perl Security update
   
   This fix upgrades the service console rpm for perl to version
   perl-5.8.0-98.EL3.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2008-1927 to the issue addressed by this
   update.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted *       any       any      not applicable
 
   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      affected, patch pending
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      not affected
   ESX            2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX
   ---
   ESX 3.0.3 build 104629
   ESX Server 3.0.3 CD image
   md5sum: c2cda9242c6981c7eba1004e8fc5626d
   Upgrade package from ESX Server 2.x to ESX Server 3.0.3
   md5sum: 0ad8fa4707915139d8b2343afebeb92b
   Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
   md5sum: ff7f3dc12d34b474b231212bdf314113
   release notes:
   http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html
    
5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927

- ------------------------------------------------------------------------
6. Change log

2008-08-12  VMSA-2008-0013    
Initial release following release of ESX 3.0.3.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFIocAFS2KysvBH1xkRAo/IAJwJu5uDugjZnxD+/YW3HjAUM3wZZwCfZSsA
iH86tEWVgj8/JUlvAmZVqgY=
=yafn
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list