[Security-announce] UPDATED VMSA-0001.3 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

VMware Security Announcements security-announce at lists.vmware.com
Thu Oct 27 22:39:27 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2011-0001.3
Synopsis:          VMware ESX third party updates for Service Console
                   packages glibc, sudo, and openldap
Issue date:        2011-01-04
Updated on:        2011-10-27
CVE numbers:       CVE-2010-3847 CVE-2010-3856 CVE-2010-2956
                   CVE-2010-0211 CVE-2010-0212
- ------------------------------------------------------------------------

1. Summary

   ESX 4.x Service Console OS (COS) updates for glibc, sudo, and
   openldap packages.

2. Relevant releases

   VMware ESX 4.1 without patches ESX410-201101226-SG,
   ESX410-201104404-SG

   VMware ESX 4.0 without patches ESX400-201101405-SG,
   ESX400-201101404-SG

3. Problem Description

 a. Service Console update for glibc

    The service console packages glibc, glibc-common, and nscd are each
    updated to version 2.5-34.4908.vmw.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues
    addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.1       ESX      ESX410-201101226-SG
    ESX            4.0       ESX      ESX400-201101405-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * Hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. Service Console update for sudo

    The service console package sudo is updated to version
    1.7.2p1-8.el5_5.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-2956 to the issue addressed in this
    update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      ESX410-201104404-SG
    ESX            4.0       ESX      ESX400-201101404-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Service Console update for openldap

    The service console package openldap is updated to version
    2.3.43-12.el5_5.1.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues
    addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      not affected **
    ESX            4.0       ESX      ESX400-201101402-SG **
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.
 ** After the initial advisory, it was determined that ESX does not
    contain the affected component of openldap.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware ESX 4.1
   ----------------
   VMware ESX 4.1 Update 1
   Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-259-20110127-527075/update-from-esx4.1-4.1_update01.zip
   md5sum: 2d81a87e994aa2b329036f11d90b4c14
   sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798
   http://kb.vmware.com/kb/1029353

   update-from-esx4.1-4.1_update01 contains the following security
bulletins:
   ESX410-201101226-SG (glibc)        | http://kb.vmware.com/kb/1031330
   ESX410-201101201-SG (core & CIM)   | http://kb.vmware.com/kb/1027904

   ESX410-Update01 also contains the following non-security bulletins
     ESX410-201101219-UG, ESX410-201101203-UG, ESX410-201101214-UG,
     ESX410-201101217-UG, ESX410-201101215-UG, ESX410-201101225-UG,
     ESX410-201101223-UG, ESX410-201101216-UG, ESX410-201101202-UG,
     ESX410-201101222-UG, ESX410-201101220-UG, ESX410-201101213-UG,
     ESX410-201101218-UG, ESX410-201101204-UG, ESX410-201101221-UG,
     ESX410-201101211-UG, ESX410-201101206-UG, ESX410-201101207-UG,
     ESX410-201101224-UG, ESX410-201101208-UG.

   To install an individual bulletin use esxupdate with the -b option.

   ESX410-201104001
   Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip
   md5sum: 757c3370ae63c75ef5b2178bd35a4ac3
   sha1sum: 95cfdc08e0988b4a0c0c3ea1a1acc1c661979888
   http://kb.vmware.com/kb/1035110

   ESX410-201104001 contains ESX410-201104404-SG.

   VMware ESX 4.0
   -------
   ESX400-201101001
   Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-257-20101231-664659/ESX400-201101001.zip
   md5sum: f1d522b380692e0845eb0dda480ab890
   sha1sum: 906989af3ddacc41321d685c4afe0d740856f9d5
   http://kb.vmware.com/kb/1029426

   ESX400-201101001 contains the following security bulletins:
      ESX400-201101401-SG (COS kernel) | http://kb.vmware.com/kb/1029424
      ESX400-201101405-SG (glibc)      | http://kb.vmware.com/kb/1029881
      ESX400-201101404-SG (sudo)       | http://kb.vmware.com/kb/1029421
      ESX400-201101402-SG (openldap)   | http://kb.vmware.com/kb/1029423

   ESX400-201101401-SG is documented in VMSA-2010-0017.1.

   To install an individual bulletin use esxupdate with the -b option.

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0212

- ------------------------------------------------------------------------

6. Change log

	2011-01-04  VMSA-2011-0001
	Initial security advisory in conjunction with the release of patches
	for ESX 4.0 on 2011-01-04
	
	2011-02-10  VMSA-2011-0001.1
	Updated security advisory in conjunction with the release of patches
	for ESX 4.1 as part of the ESX 4.1 Update 1 release on 2011-02-10.
	
	2011-04-28  VMSA-2010-0001.2
	Updated advisory after release of ESX 4.1 patches on 2011-04-28.

	2011-10-27  VMSA-2010-0001.3
	Updated section 3.c on openldap. After the initial advisory, it was
	determined that ESX does not contain the affected component of
	openldap.

- -----------------------------------------------------------------------

7. Contact

	E-mail list for product security notifications and announcements:
	http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
	
	This Security Advisory is posted to the following lists:
	
	  * security-announce at lists.vmware.com
	  * bugtraq at securityfocus.com
	  * full-disclosure at lists.grok.org.uk
	
	E-mail:  security at vmware.com
	PGP key at: http://kb.vmware.com/kb/1055
	
	VMware Security Advisories
	http://www.vmware.com/security/advisories
	
	VMware security response policy
	http://www.vmware.com/support/policies/security_response.html
	
	General support life cycle policy
	http://www.vmware.com/support/policies/eos.html
	
	VMware Infrastructure support life cycle policy
	http://www.vmware.com/support/policies/eos_vi.html
	
	Copyright 2011 VMware Inc.  All rights reserved.
	
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6qQA8ACgkQDEcm8Vbi9kOlVwCfXhDc/F2NnQ8STPC5gR9tUjlc
LMMAoM+mIZtHRKmLGReUWUQNVq8bA67y
=kFn6
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list