VMware ESX Server 2.0.1 Security Update for OpenSSL

Released 5/4/04 TAR File

This patch includes a new update for ESX Server 2.0.1 that addresses the following security vulnerabilities in standard Linux libraries that use OpenSSL.

• OpenSSL Security Advisory (issued March 17th, 2004)
• CERT Technical Cyber Security Alert TA04-078A
• Linux security exploit CAN-2004-0079
  
• Linux security exploit CAN-2004-0112
  
• Linux security exploit CAN-2004-0081
  

Note: This update only works if you have ESX Server 2.0.1, Build 6403. If you are currently using ESX 2.0, you must upgrade to ESX 2.0.1 before applying this update.

This OpenSSL update supercedes the OpenSSH and OpenSSL Update for ESX Server 2.0.0.

There is a separate OpenSSL update for ESX Server 1.5.2 available as the VMware OpenSSL Update for ESX Server 1.5.2.

Installing the Update

1. Log in as root into the ESX Server 2.0.1 service console.
2. Your path variable should contain /usr/bin.
3. Download the tar file into the temporary directory /tmp, on your ESX service console.
4. Change directory to /tmp.
5. Verify the integrity of the package:
   md5sum esx-201-patch-8045.tgz

   The md5 checksum output should match the following:
   f28d5549e45c24b38ed230caf3faf70d esx-201-patch-8045.tgz

6. Extract the compressed tar archive:
   tar -xvzf esx-201-patch-8045.tgz
7. Change directories to the newly created directory /tmp/esx-201-patch-8045:
   cd esx-201-patch-8045
8. Run the driver installer:
   /usr/bin/perl ./esx-openssl-patch.pl
9. If you are prompted to enter the HTTP session time out setting, press Enter to accept the default setting of 60 minutes.
   
10. The OpenSSL update has been installed. You do not need to reboot your server to apply the update.