VMSA-2007-0005

Updated Service Console packages (XFree86, UP and SMP kernels, Kerberos libraries) resolve security issues.

1. Summary:

Updated Service Console packages (XFree86, UP and SMP kernels, Kerberos libraries) resolve security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patch ESX-1000073

VMware ESX 3.0.0 without patch ESX-1000080

VMware ESX 2.5.4 prior to upgrade patch 9 (Build# 47255)

VMware ESX 2.5.3 prior to upgrade patch 12 (Build# 47274)

VMware ESX 2.1.3 prior to upgrade patch 7 (Build# 47243)

VMware ESX 2.0.2 prior to upgrade patch 7 (Build# 47268)

3. Problem description:

Problems addressed by these patches:

a. An updated Service Console XFree86 package that fixes a number of security issues

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names CVE-2007-1003, CVE-2007-1351, CVE-2007-1352, and CVE-2007-1667 to these issues

ESX 2.5.4 Upgrade Patch 9 (Build# 47255)
ESX 2.5.3 Upgrade Patch 12 (Build# 47274)
ESX 2.1.3 Upgrade Patch 7 (Build# 47243)
ESX 2.0.2 Upgrade Patch 7 (Build# 47268)

b. Upgraded UP and SMP kernels for ESX Server 2.5.4 fix a number of security issues.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CVE-2005-3055, CVE-2005-3273,
CVE-2006-1056, CVE-2006-1342, CVE-2006-1343, CVE-2006-1864, and
CVE-2006-2071 to this issue. The new kernel version is 2.4.9-e.71.

ESX 2.5.4 Upgrade Patch 9 (Build# 47255)

c. An update to the Kerberos network authentication packages provided in
the VMware ESX Server Service Console. Possible vulnerabilities have
been found with the krb5 telnet daemon, the Kerberos KDC, and kadmin.

Although these features are not enabled in the Service Console by default,
VMware recommends that all users apply this patch.

The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the names CVE-2007-0956, CVE-2007-0957, and CVE-2007-1216 to this issue.

VMware ESX 3.0.1 without patch ESX-1000073
VMware ESX 3.0.0 without patch ESX-1000080

4. Solution:

Please review the Patch notes for your product and version and verify the md5sum of your downloaded file.

ESX 3.0.1
www.vmware.com/support/vi3/doc/esx-1000073-patch.html
md5sum be83416cd0ba35c2b46e3550608b436e

ESX 3.0.0
www.vmware.com/support/vi3/doc/esx-1000080-patch.html
md5sum ea6c2db9554adc15e506a3f0ece6976a

ESX 2.5.4
www.vmware.com/support/esx25/doc/esx-254-200706-patch.html
md5sum da6f0056f8ea0b77a42c0250795c3dd1

ESX 2.5.3
www.vmware.com/support/esx25/doc/esx-253-200706-patch.html
md5sum 8da2a03673608033feccdca57d78504f

ESX 2.1.3
www.vmware.com/support/esx21/doc/esx-213-200706-patch.html
md5sum 6ecef2b89dadf35b86290dc7e33d90f7

ESX 2.0.2
www.vmware.com/support/esx2/doc/esx-202-200706-patch.html
md5sum 0357cbf7536788cad94ede871a3440c9

5. References:

CVE numbers

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

6. Contact:

E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* [email protected]
* [email protected]
* [email protected]

E-mail: [email protected]

www.vmware.com/security

VMware Security Response Policy
www.vmware.com/vmtn/technology/security/security_response.html

Copyright 2007 VMware Inc. All rights reserved.