New VMware Security Advisories.

Today I have received three yes three advisories from VMware as usual I will print them in full.

Advertisements

Today I have received three, yes three advisories from VMware as usual I will print them in full.

VMware Security Advisory

Advisory ID:       VMSA-2010-0001
Synopsis:          ESX Service Console updates for nss and nspr
Issue date:        2010-01-06
Updated on:        2010-01-06 (initial release of advisory)
CVE numbers:
CVE-2009-2409 CVE-2009-2408 CVE-2009-2404 CVE-2009-1563 CVE-2009-3274 CVE-2009-3370 CVE-2009-3372 CVE-2009-3373 CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3382
———————————————————————–
1. Summary

Update for Service Console packages nss and nspr

2. Relevant releases

VMware ESX 4.0 without patch ESX400-200912403-SG

3. Problem Description

a. Update for Service Console packages nss and nspr

Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, and CVE-2009-3382 to these issues.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product Product Version Running On Replace with/Apply Patch
VirtualCenter Any Windows Not Affected
Hosted * Any Any Not Affected
ESXi Any ESXi Not Affected
ESX 4.0 ESX ESX400-200912403-SG
ESX 3.5 ESX Not Affected
ESX 3.0.3 ESX Not Affected
ESX 3.0.2 ESX Not Affected
ESX 2.5.5 ESX Not Affected
vMA 4.0 RHEL5 Affected, Patch Pending

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.

ESX 4.0   –   ESX400-200912403-SG

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip

md5sum: 78c6cf139b7941dc736c9d3a41deae77

sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59

http://kb.vmware.com/kb/1016293

To install an individual bulletin use esxupdate with the -b option. esxupdate –bundle=ESX400-200912001.zip -b ESX400-200912403-SG update

5. References

CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3382
————————————————————————

6. Change log
2010-01-06  VMSA-2010-0001
Initial security advisory after release of patch ESX400-200912403-SG for ESX 4.0 on 2010-01-06.

Advertisements