VMSA-2010-0001.1

ESX Service Console and vMA updates for nss and nspr

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2010-0001.1
VMware Security Advisory Synopsis:
  ESX Service Console and vMA updates for nss and nspr
VMware Security Advisory Issue date:
  2010-03-03
VMware Security Advisory Updated on:
  2010-01-06 (initial release of advisory)
VMware Security Advisory CVE numbers:
  CVE-2009-2409 CVE-2009-2408 CVE-2009-2404
CVE-2009-1563 CVE-2009-3274 CVE-2009-3370
CVE-2009-3372 CVE-2009-3373 CVE-2009-3374
CVE-2009-3375 CVE-2009-3376 CVE-2009-3380
CVE-2009-3382
1. Summary

Update for Service Console and vMA for nss and nspr packages.

2. Relevant releases

VMware ESX 4.0 without patch ESX400-200912403-SG

vMA without Patch 3

3. Problem Description

a. Update for Service Console packages nss and nspr
Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR.
The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, and CVE-2009-3382 to these issues.

VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
VMware Product ============= VirtualCenter
Product Version ======= any
Running on ======= Windows
Replace with/ Apply Patch ================= not affected
VMware Product ============= hosted*
Product Version ======= any
Running on ======= any
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESXi
Product Version ======= any
Running on ======= ESXi
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 4.0
Running on ======= ESX
Replace with/ Apply Patch ================= ESX400-200912403-SG
VMware Product ============= ESX
Product Version ======= 3.5
Running on ======= ESX
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 3.0.3
Running on ======= ESX
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 3.0.2
Running on ======= ESX
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 2.5.5
Running on ======= ESX
Replace with/ Apply Patch ================= not affected
VMware Product ============= vMA
Product Version ======= 4.0
Running on ======= RHEL5
Replace with/ Apply Patch ================= Patch 3


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
ESX 4.0
-------
ESX400-200912403-SG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip
md5sum: 78c6cf139b7941dc736c9d3a41deae77
sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59
http://kb.vmware.com/kb/1016293

To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle=ESX400-200912001.zip -b ESX400-200912403-SG
update vMA 4.0
-------
To update VIMA
1 Log in to VIMA as vi-admin.
2 type 'sudo /usr/sbin/vima-update update' this will apply all currently available updates. See http://tinyurl.com/yfekgrx for more information.

6. Change log

2010-01-06 VMSA-2010-0001
Initial security advisory after release of patch ESX400-200912403-SG for ESX 4.0 on 2010-01-06.
2010-03-03 VMSA-2010-0001.1
Updated advisory after release of vMA Patch 3 on 2010-02-25.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: