VMware

VMware ESX Server 2.5.5 Upgrade Patch 13 (for 2.5.5 Systems Only)

Released 5/28/09

TAR File

This document contains the following information:

Security Issues

Refer VMware Security Center for regular updates to the VMware Security Advisories.
This patch contains the following security updates for the service console:

  • Updates the VIM (Visual editor iMproved) packages for the service console to fix the following security issues:
    • Input sanitization flaws in VIM keyword and tag handling. If you access a malicious tag or keyword in a document, it might be possible to run arbitrary code as the user running VIM.
      The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue.
    • Input sanitization flaws in VIM system functions. If you open a malicious file, it might be possible to run arbitrary code as the user running VIM.
      The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue.
  • Updates the Berkeley Internet Name Domain (BIND) RPMs in the service console.
    A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue.
  • Updates the OpenSSL packages for the service console.
    Functions inside OpenSSL incorrectly check the result after calling the EVP_VerifyFinal function, which allows a malformed signature to be accepted as valid rather than an error. This issue affects the signature checks on DSA and ECDSA keys used with SSL/TLS.
    The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-5077 to this issue.
  • Updates the libpng packages for the service console to fix the following security issues:
    • The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files. An attacker can create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to stop responding or execute arbitrary code with the privileges of the user running the application.
      The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0040 to this issue.
    • A vulnerability in the way libpng handles PNG images containing unknown chunks. If an application linked against libpng attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to stop responding.
      The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1382 to this issue.

Applicability

This patch is an ESX Server 2.5.5 patch. Ensure that ESX Server 2.5.5 build 57619 or later is installed before applying the patch. Run vmware -v to see the version and build information for your system.

Installing the Update

Note: Back up your ESX Server installation before installing this patch. Also, a minimum of 350MB of temporary free space on the / file system is required for installing this patch.

This update requires you to boot your server into Linux mode to perform the upgrade. When you are prompted to reboot at the end of the upgrade, the installer restarts your system to run ESX Server.

  1. Power off all virtual machines.
  2. Restart your system.
  3. At the LILO Boot Menu, select the option appropriate for your system.
    • For a boot-from-SAN installation, select esx-san-safe.
    • For all other installations, select linux-up.
  4. Log in as root to the ESX Server service console.
  5. Download the tar file into a temporary directory under /root on your ESX Server service console.
  6. Change your working directory to that directory.
  7. Verify the integrity of the package:
    # md5sum esx-2.5.5-161312-upgrade.tar.gz

    The md5 checksum output should match the following:
    a477b7819f5a0d4cbd38b98432a48c88 esx-2.5.5-161312-upgrade.tar.gz

  8. Extract the compressed tar archive:
    # tar -xvzf esx-2.5.5-161312-upgrade.tar.gz
  9. Change to the newly created directory:
    # cd esx-2.5.5-161312-upgrade
  10. Run the installer:
    # ./upgrade.pl
  11. The system updates have now been installed. A reboot prompt is displayed:
    Reboot the server now [y/n]?

    This update will not be complete until you reboot the ESX Server host. If you enter n to indicate that you will not reboot the server at this time, ESX Server displays the warning message: Please reboot the server manually. Your virtual machines will not run properly until this is done. If you see this message, you must manually reboot the server to complete the upgrade.

  12. At the reboot prompt, enter y to reboot the server.