Date: Thu, 26 Feb 2009 20:10:43 -0800
From: VMware Security team <security@vmware.com.>
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: VMSA-2009-0003 ESX 2.5.5 patch 12 updates service console package
ed
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0003
Synopsis: ESX 2.5.5 patch 12 updates service console package ed
Issue date: 2009-01-26
Updated on: 2009-01-26 (initial release of advisory)
CVE numbers: CVE-2008-3916
- ------------------------------------------------------------------------
1. Summary
ESX 2.5.5 patch 12 Build 142708 updates service console package ed
2. Relevant releases
VMware ESX 2.5.5 before patch 12
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
to upgrade to ESX 3.0.3 and preferably to the newest release
available.
3. Problem Description
a. Updated ESX patch updates Service Console package ed
ed is a line-oriented text editor, used to create, display, and
modify text files (both interactively and via shell scripts).
A heap-based buffer overflow was discovered in the way ed, the GNU
line editor, processed long file names. An attacker could create a
file with a specially-crafted name that could possibly execute an
arbitrary code when opened in the ed editor.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2008-3916 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi 3.5 ESXi not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX not affected
ESX 2.5.5 ESX Upgrade Patch 12
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX 2.5.5 Upgrade Patch 12 Build 142709
www.vmware.com/support/esx25/doc/esx-255-142709-patch.html
http://download3.vmware.com/software/esx/esx-2.5.5-142709-upgrade.tar.gz
md5sum: 2a0bd5cc3591b1f6b04616fa2c97f78c
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916
- ------------------------------------------------------------------------
6. Change log
2009-02-20 VMSA-2009-0003
Initial security advisory after release of patch 12 for ESX 2.5.5
on 2009-02-20.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
iD8DBQFJp2fAS2KysvBH1xkRAiBvAJ420qchZs/J2AiBRw+Gi4nTIlTprwCfU3Zx
KioldmTcIUXlhY7Iq7WlmGY=
=Ym/+
-----END PGP SIGNATURE-----
