-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2011-0001 Synopsis: VMware ESX third party updates for Service Console packages glibc, sudo, and openldap Issue date: 2011-01-04 Updated on: 2011-01-04 (initial release of advisory) CVE numbers: CVE-2010-3847 CVE-2010-385 CVE-2010-2956 CVE-2010-0211 CVE-2010-0212 - ------------------------------------------------------------------------ 1. Summary ESX 4.0 Service Console OS (COS) updates for glibc, sudo, and openldap packages. 2. Relevant releases VMware ESX 4.0 without patches ESX400-201101405-SG, ESX400-201101404-SG, ESX400-201101402-SG 3. Problem Description a. Service Console update for glibc The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not applicable ESX 4.1 ESX affected, patch pending ESX 4.0 ESX ESX400-201101405-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * Hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Service Console update for sudo The service console package sudo is updated to version 1.7.2p1-8.el5_5. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2956 to the issue addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX affected, patch pending ESX 4.0 ESX ESX400-201101404-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Service Console update for openldap The service console package openldap is updated to version 2.3.43-12.el5_5.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX affected, patch pending ESX 4.0 ESX ESX400-201101402-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESX 4.0 ------- ESX400-201101001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-257-20101231-664 659/ESX400-201101001.zip md5sum: f1d522b380692e0845eb0dda480ab890 sha1sum: 906989af3ddacc41321d685c4afe0d740856f9d5 http://kb.vmware.com/kb/1029426 ESX400-201101001 contains the following security bulletins: ESX400-201101401-SG (COS kernel) | http://kb.vmware.com/kb/1029424 ESX400-201101405-SG (glibc) | http://kb.vmware.com/kb/1029881 ESX400-201101404-SG (sudo) | http://kb.vmware.com/kb/1029421 ESX400-201101402-SG (openldap) | http://kb.vmware.com/kb/1029423 ESX400-201101401-SG is documented in VMSA-2010-0017.1. To install an individual bulletin use esxupdate with the -b option. 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0212 - ------------------------------------------------------------------------ 6. Change log 2011-01-04 VMSA-2011-0001 Initial security advisory in conjunction with the release of patches for ESX 4.0 on 2011-01-04 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFNJBPaS2KysvBH1xkRAtseAJ4l2OJWnrpwT9YcncIzlZU66/imEgCfUBzL wDKHxW0zrjUpSyFjUvC87Nk= =28bu -----END PGP SIGNATURE-----