VMSA-2008-0011.3

Updated ESX service console packages for Samba and vmnix

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
VMSA-2008-0011.3
VMware Security Advisory Synopsis:
Updated ESX service console packages for Samba and vmnix
VMware Security Advisory Issue date:
2008-07-28
VMware Security Advisory Updated on:
2008-10-31
VMware Security Advisory CVE numbers:
CVE-2007-5001 CVE-2007-6151 CVE-2007-6206
CVE-2008-0007 CVE-2008-1367 CVE-2008-1375
CVE-2008-1669 CVE-2006-4814 CVE-2008-1105
1. Summary:


Updated ESX packages address several security issues.

 
2. Relevant releases:


VMware ESX 3.5 without patches ESX350-200806201-UG (vmnix) and
ESX350-200806218-UG (samba)
VMware ESX 3.0.2 without patch ESX-1006029
VMware ESX 3.0.1 without patch ESX-1006028
VMware ESX 2.5.5 before Upgrade Patch 10
VMware ESX 2.5.4 before Upgrade Patch 21

NOTE: Extended support (Security and Bug fixes) for ESX 3.0.2 ends
on 10/29/2008 and Extended support for ESX 3.0.2 Update 1
ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3
and preferably to the newest release available.

Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended
on 2008-07-31. The 3.0.1 patches are released in August because
there was no patch release in July.

 
3. Problem description:

I Service Console rpm updates

a. Security Update to Service Console Kernel
This fix upgrades service console kernel version to 2.4.21-57.EL.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5001, CVE-2007-6151, CVE-2007-6206,
CVE-2008-0007, CVE-2008-1367, CVE-2008-1375, CVE-2006-4814, and
CVE-2008-1669 to the security issues fixed in kernel-2.4.21-57.EL.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product VirtualCenter
Product Version any
Running on Windows
Replace with/ Apply Patch not applicable
VMware Product hosted
Product Version any
Running on any
Replace with/ Apply Patch not applicable
VMware Product ESXi
Product Version 3.5
Running on ESXi
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version 3.5
Running on ESX
Replace with/ Apply Patch patchESX350-200806201-UG
VMware Product ESX
Product Version 3.0.3
Running on ESX
Replace with/ Apply Patch not affected
VMware Product ESX
Product Version 3.0.2
Running on ESX
Replace with/ Apply Patch affected, no update planned
VMware Product ESX
Product Version 3.0.1
Running on ESX
Replace with/ Apply Patch affected, noupdate planned
VMware Product ESX
Product Version 2.5.5
Running on ESX
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version 2.5.4
Running on ESX
Replace with/ Apply Patch not applicable

b. Samba Security Update
This fix upgrades the service console rpm samba to version
3.0.9-1.3E.15vmw
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-1105 to this issue.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product VirtualCenter
Product Version any
Running on Windows
Replace with/ Apply Patch not applicable
VMware Product hosted
Product Version any
Running on any
Replace with/ Apply Patch not applicable
VMware Product ESXi
Product Version 3.5
Running on ESXi
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version 3.5
Running on ESX
Replace with/ Apply Patch patch ESX350-200806201-UG
VMware Product ESX
Product Version 3.0.3
Running on ESX
Replace with/ Apply Patch not affected
VMware Product ESX
Product Version 3.0.2
Running on ESX
Replace with/ Apply Patch affected, no update planned
VMware Product ESX
Product Version 3.0.1
Running on ESX
Replace with/ Apply Patch affected, noupdate planned
VMware Product ESX
Product Version 2.5.5
Running on ESX
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version 2.5.4
Running on ESX
Replace with/ Apply Patch not applicable
b. Samba Security Update


This fix upgrades the service console rpm samba to version
3.0.9-1.3E.15vmw
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-1105 to this issue.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product VirtualCenter
Product Version any
Running on Windows
Replace with/ Apply Patch not applicable
VMware Product hosted
Product Version any
Running on any
Replace with/ Apply Patch not applicable
VMware Product ESXi
Product Version 3.5
Running on ESXi
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version 3.5
Running on ESX
Replace with/ Apply Patch patch ESX350-200806218-UG
VMware Product ESX
Product Version 3.0.3
Running on ESX
Replace with/ Apply Patch not affected
VMware Product ESX
Product Version 3.0.2
Running on ESX
Replace with/ Apply Patch patch ESX-1006029
VMware Product ESX
Product Version 3.0.1
Running on ESX
Replace with/ Apply Patch patch ESX-1006028
VMware Product ESX
Product Version 2.5.5
Running on ESX
Replace with/ Apply Patch ESX 2.5.5 upgrade patch 10 or later
VMware Product ESX
Product Version 2.5.4
Running on ESX
Replace with/ Apply Patch ESX 2.5.4 upgrade patch 21
4. Solution:


Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

ESX 3.5 (Samba)
http://download3.vmware.com/software/esx/ESX350-200806218-UG.zip
md5sum: dfad21860ba24a6322b36041c0bc2a07
http://kb.vmware.com/kb/1005931

ESX 3.5 (vmnix)
http://download3.vmware.com/software/esx/ESX350-200806201-UG.zip
md5sum: 2888192905a6763a069914fcd258d329
http://kb.vmware.com/kb/1005894

ESX 3.0.3 build 104629
ESX Server 3.0.3 CD image
md5sum: c2cda9242c6981c7eba1004e8fc5626d
Upgrade package from ESX Server 2.x to ESX Server 3.0.3
md5sum: 0ad8fa4707915139d8b2343afebeb92b
Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
md5sum: ff7f3dc12d34b474b231212bdf314113
release notes:
http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html

ESX 3.0.2 patch ESX-1006029
http://download3.vmware.com/software/vi/ESX-1006029.tgz
md5sum: 08b81541304a3a8a612679e6a50aaa6c
http://kb.vmware.com/kb/1006029

ESX 3.0.1 patch ESX-1006028
http://download3.vmware.com/software/vi/ESX-1006028.tgz
md5sum: 81e7e5771354340805ba6fb94ac7115a
http://kb.vmware.com/kb/1006028

VMware ESX 2.5.5 Upgrade Patch 10
http://download3.vmware.com/software/esx/esx-2.5.5-119702-upgrade.tar.gz
md5sum: 2ee87cdd70b1ba84751e24c0bd8b4621
http://vmware.com/support/esx25/doc/esx-255-200810-patch.html

VMware ESX 2.5.4 Upgrade Patch 21
http://download3.vmware.com/software/esx/esx-2.5.4-119703-upgrade.tar.gz
md5sum: d791be525c604c852a03dd7df0eabf35
http://vmware.com/support/esx25/doc/esx-254-200810-patch.html

6. Change log:


2008-07-28 VMSA-2008-0011
Initial release
2008-08-12 VMSA-2008-0011.1
Added VMware ESX 3.0.3 released on 2008-08-08
2008-08-29 VMSA-2008-0011.2
Added VMware ESX 3.0.2, ESX 3.0.1 released on 2008-08-28
2008-10-31 VMSA-2008-0011.3
Added VMware ESX 2.5.4 and ESX 2.5.5 released on 2008-10-30

 
7. Contact:


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html