VMSA-2008-0011.1

Updated ESX service console packages for Samba and vmnix

-------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0011.1
Synopsis:          Updated ESX service console packages for Samba
                   and vmnix 
Issue date:        2008-07-28
Updated on:        2008-08-12
CVE numbers:       CVE-2007-5001 CVE-2007-6151 CVE-2007-6206 
                   CVE-2008-0007 CVE-2008-1367 CVE-2008-1375
                   CVE-2008-1669 CVE-2006-4814 CVE-2008-1105
-------------------------------------------------------------------

1. Summary

   Updated ESX packages address several security issues. 

2. Relevant releases

   VMware ESX 3.5 without patches ESX350-200806201-UG (vmnix) and  
   ESX350-200806218-UG (samba)
   VMware ESX 3.0.2
   VMware ESX 3.0.1

   Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on 
   2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1
   and preferably the newest release available.

3. Problem description

I   Service Console rpm updates

 a.  Security Update to Service Console Kernel

   This fix upgrades service console kernel version to 2.4.21-57.EL.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) 
   has assigned the names CVE-2007-5001, CVE-2007-6151, CVE-2007-6206, 
   CVE-2008-0007, CVE-2008-1367, CVE-2008-1375, CVE-2006-4814, and 
   CVE-2008-1669 to the security issues fixed in kernel-2.4.21-57.EL.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted         any       any      not applicable

   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      patch ESX350-200806201-UG
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      affected, no update planned
   ESX            3.0.1     ESX      affected, no update planned
   ESX            2.5.5     ESX      not applicable
   ESX            2.5.4     ESX      not applicable

 b.  Samba Security Update

   This fix upgrades the service console rpm samba to version 
   3.0.9-1.3E.15vmw 

   The Common Vulnerabilities and Exposures project (cve.mitre.org) 
   has assigned the name CVE-2008-1105 to this issue.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted         any       any      not applicable

   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      patch ESX350-200806218-UG
   ESX            3.0.3     ESX      not affected
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      affected, patch pending
   ESX            2.5.4     ESX      affected, patch pending

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

   ESX 3.5 (Samba)
   download3.vmware.com/software/esx/ESX350-200806218-UG
   md5sum: dfad21860ba24a6322b36041c0bc2a07
   kb.vmware.com/kb/1005931

   ESX 3.5 (vmnix)
   download3.vmware.com/software/esx/ESX350-200806201-UG
   md5sum: 2888192905a6763a069914fcd258d329
   kb.vmware.com/kb/1005894

   ESX 3.0.3 build 104629
   ESX Server 3.0.3 CD image
   md5sum: c2cda9242c6981c7eba1004e8fc5626d
   Upgrade package from ESX Server 2.x to ESX Server 3.0.3
   md5sum: 0ad8fa4707915139d8b2343afebeb92b
   Upgrade package from earlier releases of ESX Server 3 to ESX Server 3.0.3
   md5sum: ff7f3dc12d34b474b231212bdf314113
   release notes: 
   www.vmware.com/support/vi3/doc/releasenotes_esx303.html


5. References

  CVE numbers:

  CVE-2007-5001
  CVE-2007-6151
  CVE-2007-6206
  CVE-2008-0007
  CVE-2008-1367
  CVE-2008-1375
  CVE-2008-1669
  CVE-2006-4814
  CVE-2008-1105 

---------------------------------------------------------------_----

6. Change log:

2008-07-28 VMSA-2008-0011    
Initial release
2008-08-12 VMSA-2008-0011.1
Added VMware ESX 3.0.3 released on 2008-08-08

---------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: kb.vmware.com/kb/1055

VMware Security Center
www.vmware.com/security

VMware security response policy
www.vmware.com/support/policies/security_response.html

General support life cycle policy
www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.