[Security-announce] UPDATED VMSA-2013-0004.3 VMware ESXi and ESX security update for third party library

[VMware Security Announcements]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0004.3
Synopsis:    VMware ESXi and ESX security update for third party library
Issue date:  2013-03-28
Updated on:  2013-05-30
CVE number:  CVE-2012-5134
- -----------------------------------------------------------------------

1. Summary

   VMware ESXi and ESX security updates for third party library

2. Relevant releases

   ESXi 5.1 without patch ESXi510-201304101
   ESXi 5.0 without patch ESXi500-201303101
   ESXi 4.0 without patch ESXi400-201305001
   ESXi 4.1 without patch ESXi410-201304401
   ESX 4.1 without patch ESX410-201304401
   ESX 4.0 without patch ESX400-201305404

3. Problem Description

   a. Update to ESX/ESXi libxml2 userworld and service console.

      The ESX/ESXi userworld libxml2 library has been updated to 
      resolve a security issue. Also, the ESX service console
      libxml2 packages are updated to the following versions: 

      libxml2-2.6.26-2.1.15.el5_8.6
      libxml2-python-2.6.26-2.1.15.el5_8.6

      The Common Vulnerabilities and Exposures project
      (cve.mitre.org) has assigned the name CVE-2012-5134
      to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            5.1       ESXi     ESXi510-201304101-SG 
        ESXi            5.0       ESXi     ESXi500-201303101-SG
        ESXi            4.1       ESXi     ESXi410-201304401-SG
        ESXi            4.0       ESXi     ESXi400-201305401-SG
                                     
        ESX             4.1       ESX      ESX410-201304401-SG
        ESX             4.0       ESX      ESX400-201305404-SG

 4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.
 
   ESXi and ESX
   ------------
   https://my.vmware.com/web/vmware/downloads
   
   ESXi 5.1 
   -------
   File: update-from-esxi5.1-5.1_update01.zip
   md5sum: 28b8026bcfbe3cd1817509759d4b61d6
   sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542 
   update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304101-SG
   http://kb.vmware.com/kb/2041632
 

   ESXi 5.0
   --------
   File: ESXi500-201303001.zip
   md5sum: c62470c48e81da84891c79d5533c8e91
   sha1sum: 69fe8933888d2a6c4e53cfe822441c963bdcd2c7
   http://kb.vmware.com/kb/2044373  

   ESXi 4.1 
   ----------------
   File: ESXi410-201304001.zip 
   md5sum: 9ce63bcacb3412fc1c8a6a8c47ac6af6
   sha1sum: 241603ef6b856e573a62fe27da039c8fffe54b1d
   http://kb.vmware.com/kb/2045255
   ESXi410-201304001.zip contains ESXi410-201304401

   ESXi 4.0 
   ----------------
   File: ESXi400-201305001.zip 
   md5sum: d09b9853dd47573fcef7200622d5eee7
   sha1sum: 80de7ba73ab28be59abe8463baa9b12ec1b390dd
   https://kb.vmware.com/kb/2044246
   ESXi400-201305001 contains ESXi400-201305401-SG


   ESX 4.1 
   ----------------
   File: ESX410-201304001.zip 
   md5sum: df9ef1d25f383a12d2fbc47cdc5f55d2 
   sha1sum: e49068da7cf7e0ada57c4604cbc9ba253c03e3a0 
   http://kb.vmware.com/kb/2045253 
   ESX410-201304001.zip contains ESX410-201304401

   ESX 4.0
   ----------------
   File: ESX400-201305001.zip
   md5sum: ad8e8f1709c799fc26841514248605f3
   sha1sum: 7e4e7ac361a8cc5fe8fa4b0bbd57ecfb81ab804c
   https://kb.vmware.com/kb/2046005
   ESX400-201305001 contains ESX400-201305404-SG
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134

- ----------------------------------------------------------------------

6. Change log

   2013-03-28 VMSA-2013-0004
   Initial security advisory in conjunction with the release of
   ESXi 5.0 patch on 2013-03-28.

   2013-04-25 VMSA-2013-0004.1
   Updated security advisory due to ESXi 5.1 update released on
   2013-04-25

   2013-04-30 VMSA-2013-0004.2
   Updated security advisory due to ESXi and ESX 4.1 update released on
   2013-04-30


   2013-05-30 VMSA-2013-0004.3
   Updated security advisory in conjunction with the release 
   of ESX and ESXi 4.0 patches on 2013-05-30.

- ----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFRp5D+DEcm8Vbi9kMRAhCSAKCt+tQbjYd56OQaP4IKb7oWsM4saACgj9wa
HNlX64qNw67v4nzz2jmU8pI=
=y+55
-----END PGP SIGNATURE-----