[Security-announce] UPDATED + VMSA-2008-0013.1 Updated ESX packages for OpenSSL, net-snmp, perl

security-announce at lists.vmware.com security-announce at lists.vmware.com
Tue Aug 26 16:36:02 PDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0013.1
Synopsis:          Updated ESX packages for OpenSSL, net-snmp, perl
Issue date:        2008-08-12
Updated on:        2008-08-26
CVE numbers:       CVE-2007-3108, CVE-2007-5135
- ------------------------------------------------------------------------

1. Summary

   Updated ESX packages for OpenSSL.

2. Relevant releases
 
   ESX 3.0.2
   ESX 3.0.1

   Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on
   2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1
   and preferably the newest release available.

3. Problem Description

 I Security Issues

   a. OpenSSL Binaries Updated

   This fix updates the third party OpenSSL library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
   addressed by this update.
 
   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  affected, patch pending

   hosted *       any       any      for patch info see VMSA-2008-0005
 
   ESXi           3.5       ESXi     affected, patch pending

   ESX            3.5       ESX      for patch info see VMSA-2008-0001
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      for patch info see VMSA-2008-0001
   ESX            2.5.4     ESX      for patch info see VMSA-2008-0001

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion
 
 II Service Console rpm updates

   a. net-snmp Security update
 
   Previous communication stated that this fix upgrades the service
   console rpm for net-snmp to version net-snmp-5.0.9-2.30E.24 on
   ESX 3.0.3. However this update is not present in ESX 3.0.3 and
   ESX 3.0.3 is shipping with net-snmp-5.0.9-2.30E.23.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues
   addressed in net-snmp-5.0.9-2.30E.24.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted *       any       any      not applicable
 
   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      affected, patch pending
   ESX            3.0.3     ESX      affected, patch pending
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      not affected
   ESX            2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

   b. perl Security update

   Previous communication stated that this fix upgrades the service
   console rpm for perl to version perl-5.8.0-98.EL3 on
   ESX 3.0.3. However this update is not present in ESX 3.0.3 and
   ESX 3.0.3 is shipping with perl-5.8.0-97.EL3.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2008-1927 to the issue addressed in
   perl-5.8.0-98.EL3.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted *       any       any      not applicable
 
   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      affected, patch pending
   ESX            3.0.3     ESX      affected, patch pending
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      not affected
   ESX            2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX
   ---
   ESX 3.0.3 build 104629
   ESX Server 3.0.3 CD image
   md5sum: c2cda9242c6981c7eba1004e8fc5626d
   Upgrade package from ESX Server 2.x to ESX Server 3.0.3
   md5sum: 0ad8fa4707915139d8b2343afebeb92b
   Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
   md5sum: ff7f3dc12d34b474b231212bdf314113
   release notes:
   http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html
    
5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927

- ------------------------------------------------------------------------
6. Change log

2008-08-12  VMSA-2008-0013    
Initial release following release of ESX 3.0.3.
2008-08-26  VMSA-2008-0013.1
Corrected version information for the net-snmp and perl Service Console
rpms that are present in ESX 3.0.3 released on August 8. Previous
communication incorrectly stated that these rpms had been updated.
Updates for these rpms will be provided in an upcoming patch release.


- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFItJMQS2KysvBH1xkRAupBAJ9lHLx/t2SipNRgTprhrbvAeeHpfQCdH27U
evKGbV6loEplFPZKFaENzT0=
=oMwc
-----END PGP SIGNATURE-----




More information about the Security-announce mailing list