[Security-announce] UPDATED VMSA-2008-0013.3 Updated ESX packages for OpenSSL, net-snmp, perl

VMware Security Announcements security-announce at lists.vmware.com
Thu Sep 18 21:10:04 PDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0013.3
Synopsis:          Updated ESX packages for OpenSSL, net-snmp, perl
Issue date:        2008-08-12
Updated on:        2008-09-18
CVE numbers:       CVE-2007-3108, CVE-2007-5135, CVE-2008-2292,
                   CVE-2008-0960, CVE-2008-1927
- --------------------------------------------------------------------------

1. Summary

   Updated ESX packages for OpenSSL, net-snmp, perl

2. Relevant releases

   ESX 3.5 without patches ESX350-200808405-SG, ESX350-200808406-SG

   ESX 3.0.3 without patches ESX303-200808401-SG ESX303-200808402-SG
   ESX 3.0.2 without patches ESX-1005116 ESX-1006031 ESX-1006037
   ESX 3.0.1 without patches ESX-1005115 ESX-1006030 ESX-1006355

   Note: Extended support (Security and Bug fixes) for ESX 3.0.2 ends
         on 10/29/2008 and Extended support for ESX 3.0.2 Update 1
         ends on 8/8/2009.  Users should plan to upgrade to ESX 3.0.3
         and preferably to the newest release available.

         Extended Support (Security and Bug fixes) for ESX 3.0.1 has
         ended on 2008-07-31. The 3.0.1 patches are released in August
         because there was no patch release in July.
 
3. Problem Description

 I Security Issues

   a. OpenSSL Binaries Updated

   This fix updates the third party OpenSSL library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
   addressed by this update.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  affected, patch pending

   hosted *       any       any      for patch info see VMSA-2008-0005

   ESXi           3.5       ESXi     affected, patch pending

   ESX            3.5       ESX      for patch info see VMSA-2008-0001
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      ESX-1005116
   ESX            3.0.1     ESX      ESX-1005115
   ESX            2.5.5     ESX      for patch info see VMSA-2008-0001
   ESX            2.5.4     ESX      for patch info see VMSA-2008-0001

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

 II Service Console rpm updates

   a. net-snmp Security update

   This fix upgrades the service console rpm for net-snmp to version
   net-snmp-5.0.9-2.30E.24.
  
   Note: this update is relevant for ESX 3.0.3. The initial advisory
   incorrectly stated that this update was present in ESX 3.0.3
   when it was released on August 8, 2008.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues
   addressed in net-snmp-5.0.9-2.30E.24.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted *       any       any      not applicable

   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      ESX350-200808405-SG
   ESX            3.0.3     ESX      ESX303-200808401-SG
   ESX            3.0.2     ESX      ESX-1006031
   ESX            3.0.1     ESX      ESX-1006030
   ESX            2.5.5     ESX      not affected
   ESX            2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

   b. perl Security update

   This fix upgrades the service console rpm for perl to version
   perl-5.8.0-98.EL3.

   Note: this update is relevant for ESX 3.0.3. The initial advisory
   incorrectly stated that this update was present in ESX 3.0.3
   when it was released on August 8, 2008.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2008-1927 to the issue addressed in
   perl-5.8.0-98.EL3.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted *       any       any      not applicable

   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      ESX350-200808406-SG
   ESX            3.0.3     ESX      ESX303-200808402-SG
   ESX            3.0.2     ESX      ESX-1006037
   ESX            3.0.1     ESX      ESX-1006355
   ESX            2.5.5     ESX      not affected
   ESX            2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX
   ---
   ESX 3.5 patch ESX350-200808405-SG (net-snmp)
   http://download3.vmware.com/software/esx/ESX350-200808405-SG.zip
   md5sum: df41ff24c3f805958e7f270c5475dc42
   http://kb.vmware.com/kb/1005814

   ESX 3.5 patch ESX350-200808406-SG (perl)
   http://download3.vmware.com/software/esx/ESX350-200808406-SG.zip
   md5sum: 6916a5ea5533948ce17e4f4e7f61cd02
   http://kb.vmware.com/kb/1005815

   ESX 3.0.3 build 104629
   ESX Server 3.0.3 CD image
   md5sum: c2cda9242c6981c7eba1004e8fc5626d
   Upgrade package from ESX Server 2.x to ESX Server 3.0.3
   md5sum: 0ad8fa4707915139d8b2343afebeb92b
   Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
   md5sum: ff7f3dc12d34b474b231212bdf314113
   release notes:
   http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html

   ESX 3.0.3 (net-snmp)
   http://download3.vmware.com/software/vi/ESX303-200808401-SG.zip
   md5sum: 93b8281b4e491e0c564c94a1419136cd
   http://kb.vmware.com/kb/1006032

   ESX 3.0.3 (perl)
   http://download3.vmware.com/software/vi/ESX303-200808402-SG.zip
   md5sum: a6734a3438da0492b3cad6c0bb462da4
   http://kb.vmware.com/kb/1006033
 
   ESX 3.0.2 (OpenSSL)
   http://download3.vmware.com/software/vi/ESX-1005116.tgz
   md5sum: 96fbbf2baf0744d7f23bfa1730be258d
   http://kb.vmware.com/kb/1005116

   ESX 3.0.2 (net-snmp)
   http://download3.vmware.com/software/vi/ESX-1006031.tgz
   md5sum: affd9ec9feaa7b42e0828c9634a40d56
   http://kb.vmware.com/kb/1006031
  
   ESX 3.0.2 (perl)
   http://download3.vmware.com/software/vi/ESX-1006037.tgz
   md5sum: 8c18cf1a06e359d5014efa04c3ca3787
   http://kb.vmware.com/kb/1006037

   ESX 3.0.1 (OpenSSL)
   http://download3.vmware.com/software/vi/ESX-1005115.tgz
   md5sum: ebaa361c959836156b707e824095dc99
   http://kb.vmware.com/kb/1005115

   ESX 3.0.1 (net-snmp)
   http://download3.vmware.com/software/vi/ESX-1006030.tgz
   md5sum: 3a52550ca6c958fc09af8ca4484aa6c9
   http://kb.vmware.com/kb/1006030
  
   ESX 3.0.1 (perl)
   http://download3.vmware.com/software/vi/ESX-1006355.tgz
   md5sum: 866846fa1f96cef45608a0e16e1ef979
   http://kb.vmware.com/kb/1006355
   
5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927

- ------------------------------------------------------------------------
6. Change log

2008-08-12  VMSA-2008-0013
Initial release following release of ESX 3.0.3.
2008-08-26  VMSA-2008-0013.1
Corrected version information for the net-snmp and perl Service Console
rpms that are present in ESX 3.0.3 released on August 8. Previous
communication incorrectly stated that these rpms had been updated.
Updates for these rpms will be provided in an upcoming patch release.
2008-08-29  VMSA-2008-0013.2
Updated version information after the release of patches with updates
for net-snmp and Perl for ESX301, ESX302 and ESX303 on August 28.
Added version information after the release of patches with an update
for OpenSSL for ESX301, and ESX302 on August 28.
2008-09-18 VMSA-2008-0013.3
Added updated information for net-snmp and perl after the release of
patches for ESXi 3.5 and ESX 3.5 on 2008-09-18.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFI0yYGS2KysvBH1xkRAm5sAJ9kZ1w4kcIrjLXJP7hzVUICUSL+iACfUqdx
0dj0xWTpo8p3PHE38la4U/0=
=U5OM
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list