VMware

VMware ESX Server 2.5.5 Upgrade Patch 10 (for 2.5.5 Systems Only)

Released 10/30/08

TAR File

This document contains the following information:

Security Issues

Refer VMware Security Center for the VMware Security Advisories. This patch:

  • Updates the samba package distributed with the ESX Server service console, to fix an issue with the heap-based overflow flaw that allows remote attackers to execute arbitrary code.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1105 to this issue.
  • Updates the ucd-snmp service console package, to fix a flaw that was found in the way ucd-snmp checks an SNMPv3 packet's keyed-hash message authentication code (HMAC).
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0960 to this issue.
  • Upgrades the service console RPMs for bind-utils to version 9.2.1-10.el2.  
    Version 9.2.1-10.el2 addresses the recently discovered vulnerability in the BIND software used for Domain Name resolution (DNS). VMware doesn't install all the BIND packages on ESX Server and is not vulnerable by default to the reported vulnerability. Of the BIND packages, VMware only ships bind-util and bind-lib in the service console and these components by themselves cannot be used to setup a DNS server. Bind-lib and bind-util are used in client DNS applications like nsupdate, nslookup, and so on.   
    VMware explicitly discourages installing applications like BIND on the service console. In case the customer has installed BIND, and the DNS server is configured to support recursive queries, their ESX Server system is affected and they should replace BIND with a patched version.  
    Note: ESX Server will use the DNS server on the network it is on, so it is paramount to make sure to patch that DNS server.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1447 to this issue.
  • Fixes issues that were discovered in the way libpng handles various PNG image chunks. An attacker can create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to fail when the file was manipulated.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to this issue.
  • Fixes issues with multiple vulnerabilities in the FreeType2 library for Printer Font Binary (PFB) or TrueType Font (TTF) format font files. An remote attacker could attempt a denial of service attack, or execute arbitrary code with the privileges of the application.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to these issues.
  • Updates the libxml2 package, to fix an issue with the denial of service flaw that was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3281 to this issue.
  • Updates the libtiff packages to fix issues caused by the use of uninitialized values in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. When an application is linked with libtiff package, a malformed LZW-encoded Tagged Image File Format (TIFF) file might cause the application to stop responding, or execute arbitrary code.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2327 to this issue.

Resolved Issues

This release resolves the following issues:

  • An issue where a virtual machine that has the RHEL4 Update 7 guest operating system installed might power off, when any mouse movements are made in the virtual machine.
  • An issue where access to certain files, such as virtual disk image files, might be blocked even when the need for protecting access to these files is over. This issue causes lock files with .MULTILOCK and .WRITELOCK file extensions to appear in virtual machines directories, preventing operations such as powering on a virtual machine, cloning a virtual machine, and taking snapshots of virtual machines.
  • An issue where migrating a virtual machine that is attached with an ISO image might fail, when the source ESX Server host is running ESX Server 2.5.5 Patch 9, and the destination ESX Server host is running ESX Server 2.5.4 Patch 20. The Migrate Virtual Machine task fails at 5% with a message similar to the following:
    A general system error occured: failed to copy VMconfig to VMotion dest (vim.fault.InvalidVmConfig)
  • Prior to this patch, when you run a path failover command on an active or passive array, a message similar to the following is displayed:
    Did not switchover to vmhbax:y:z. Check Unit Ready Command returned READY instead of the NOT READY for standby controller. Manual switchover to vmhbax:y:z completed successfully.
    This patch corrects the error message to:
    Path vmhba... is already active. No action required.

Applicability

This patch is an ESX Server 2.5.5 patch. Ensure that ESX Server 2.5.5 build 57619 or higher is installed before applying the patch. Run vmware -v to see the version and build information for your system.

Installing the Update

Note: Back up your ESX Server installation before installing this patch. Also, a minimum of 350MB of temporary free space on the "/" file system is required for installing this patch.

This update requires you to boot your server into Linux mode to perform the upgrade. When you are prompted to reboot at the end of the upgrade, the installer will restart your system to run ESX Server.

  1. Power off all virtual machines.
  2. Restart your system.
  3. At the LILO Boot Menu, select the option appropriate for your system.
    • For a boot-from-SAN installation, select esx-san-safe.
    • For all other installations, select linux-up.
  4. Log in as root to the ESX Server service console.
  5. Download the tar file into a temporary directory under /root on your ESX Server service console.
  6. Change your working directory to that directory.
  7. Verify the integrity of the package:
    # md5sum esx-2.5.5-119702-upgrade.tar.gz

    The md5 checksum output should match the following:
    2ee87cdd70b1ba84751e24c0bd8b4621 esx-2.5.5-119702-upgrade.tar.gz

  8. Extract the compressed tar archive:
    # tar -xvzf esx-2.5.5-119702-upgrade.tar.gz
  9. Change to the newly created directory:
    # cd esx-2.5.5-119702-upgrade
  10. Run the installer:
    # ./upgrade.pl
  11. The system updates have now been installed. A reboot prompt is displayed:
    Reboot the server now [y/n]?

    This update will not be complete until you reboot the ESX Server host. If you enter n to indicate that you will not reboot the server at this time, ESX Server displays the warning message: Please reboot the server manually. Your virtual machines will not run properly until this is done. If you see this message, you must manually reboot the server to complete the upgrade.

  12. At the reboot prompt, enter y to reboot the server.