Sign up for Security
Advisories

Enter your email address:


VMSA-2007-0005

VMware Security Advisory
Advisory ID: VMSA-2007-0005
Synopsis: Updated Service Console packages (XFree86, UP and SMP kernels, Kerberos libraries) resolve security issues.
Issue date: 2007-07-05
Updated on: 2007-07-05
CVE numbers: CVE-2007-1351 CVE-2007-1352 CVE-2007-1667
CVE-2005-3055 CVE-2005-3273 CVE-2006-1056
CVE-2006-1342 CVE-2006-1343 CVE-2006-1864
CVE-2006-2071 CVE-2007-0956 CVE-2007-0957
CVE-2007-1216
1. Summary:
Updated Service Console packages (XFree86, UP and SMP kernels, Kerberos libraries) resolve security issues.
2. Relevant releases:
VMware ESX 3.0.1 without patch ESX-1000073

VMware ESX 3.0.0 without patch ESX-1000080

VMware ESX 2.5.4 prior to upgrade patch 9 (Build# 47255)

VMware ESX 2.5.3 prior to upgrade patch 12 (Build# 47274)

VMware ESX 2.1.3 prior to upgrade patch 7 (Build# 47243)

VMware ESX 2.0.2 prior to upgrade patch 7 (Build# 47268)
3. Problem description:
Problems addressed by these patches:

a. An updated Service Console XFree86 package that fixes a number of security issues

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names CVE-2007-1003, CVE-2007-1351, CVE-2007-1352, and CVE-2007-1667 to these issues

ESX 2.5.4 Upgrade Patch 9 (Build# 47255)
ESX 2.5.3 Upgrade Patch 12 (Build# 47274)
ESX 2.1.3 Upgrade Patch 7 (Build# 47243)
ESX 2.0.2 Upgrade Patch 7 (Build# 47268)

b. Upgraded UP and SMP kernels for ESX Server 2.5.4 fix a number of security issues.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CVE-2005-3055, CVE-2005-3273,
CVE-2006-1056, CVE-2006-1342, CVE-2006-1343, CVE-2006-1864, and
CVE-2006-2071 to this issue. The new kernel version is 2.4.9-e.71.

ESX 2.5.4 Upgrade Patch 9 (Build# 47255)

c. An update to the Kerberos network authentication packages provided in
the VMware ESX Server Service Console. Possible vulnerabilities have
been found with the krb5 telnet daemon, the Kerberos KDC, and kadmin.

Although these features are not enabled in the Service Console by default,
VMware recommends that all users apply this patch.

The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the names CVE-2007-0956, CVE-2007-0957, and CVE-2007-1216 to this issue.

VMware ESX 3.0.1 without patch ESX-1000073
VMware ESX 3.0.0 without patch ESX-1000080
4. Solution:
Please review the Patch notes for your product and version and verify the md5sum of your downloaded file.

ESX 3.0.1
www.vmware.com/support/vi3/doc/esx-1000073-patch.html
md5sum be83416cd0ba35c2b46e3550608b436e

ESX 3.0.0
www.vmware.com/support/vi3/doc/esx-1000080-patch.html
md5sum ea6c2db9554adc15e506a3f0ece6976a

ESX 2.5.4
www.vmware.com/support/esx25/doc/esx-254-200706-patch.html
md5sum da6f0056f8ea0b77a42c0250795c3dd1

ESX 2.5.3
www.vmware.com/support/esx25/doc/esx-253-200706-patch.html
md5sum 8da2a03673608033feccdca57d78504f

ESX 2.1.3
www.vmware.com/support/esx21/doc/esx-213-200706-patch.html
md5sum 6ecef2b89dadf35b86290dc7e33d90f7

ESX 2.0.2
www.vmware.com/support/esx2/doc/esx-202-200706-patch.html
md5sum 0357cbf7536788cad94ede871a3440c9
6. Contact:
E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce@lists.vmware.com
* bugtraq@securityfocus.com
* full-disclosure@lists.grok.org.uk

E-mail: security@vmware.com

www.vmware.com/security

VMware Security Response Policy
www.vmware.com/vmtn/technology/security/security_response.html

Copyright 2007 VMware Inc. All rights reserved.