full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] VMSA-2010-0001 ESX Service

[Full-disclosure] VMSA-2010-0001 ESX Service Console updates for nss and nspr

From: VMware Security team <security_at_nospam>
Date: Thu Jan 07 2010 - 07:23:58 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

Hash: SHA1

  • ----------------------------------------------------------------------- VMware Security Advisory
Advisory ID: VMSA-2010-0001 Synopsis: ESX Service Console updates for nss and nspr Issue date: 2010-01-06 Updated on: 2010-01-06 (initial release of advisory) CVE numbers: CVE-2009-2409 CVE-2009-2408 CVE-2009-2404 CVE-2009-1563 CVE-2009-3274 CVE-2009-3370 CVE-2009-3372 CVE-2009-3373 CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3382 - ----------------------------------------------------------------------- 1. Summary

   Update for Service Console packages nss and nspr

2. Relevant releases

   VMware ESX 4.0 without patch ESX400-200912403-SG

3. Problem Description

  1. Update for Service Console packages nss and nspr

    Service console packages for Network Security Services (NSS) and     NetScape Portable Runtime (NSPR) are updated to versions     nss- and nspr-4.7.6-1.2213 respectively. This     patch fixes several security issues in the service console     packages for NSS and NSPR.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)     has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, and CVE-2009-3382 to these issues.

    The following table lists what action remediates the vulnerability     (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200912403-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 affected, patch pending

  • hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution

   Please review the patch/release notes for your product and version    and verify the md5sum of your downloaded file.

   ESX 4.0

   ESX400-200912403-SG https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip

   md5sum: 78c6cf139b7941dc736c9d3a41deae77    sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59    http://kb.vmware.com/kb/1016293

   To install an individual bulletin use esxupdate with the -b option.    esxupdate --bundle=ESX400-200912001.zip -b ESX400-200912403-SG    update

5. References

   CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3374 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3382 - ------------------------------------------------------------------------ 6. Change log

2010-01-06 VMSA-2010-0001
Initial security advisory after release of patch ESX400-200912403-SG for ESX 4.0 on 2010-01-06.

  • ----------------------------------------------------------------------- 7. Contact

E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

Version: GnuPG v1.4.5 (MingW32)

iD8DBQFLRYwLS2KysvBH1xkRArmBAJoDcO5waCyCE+lfmEwuILVjcqeLngCcCzNo HgNlBjOx5iQw7etlwwpbyuo=

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/