-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2013-0015
Synopsis: VMware ESX updates to third party libraries
Issue date: 2013-12-05
Updated on: 2013-12-05 (initial release)
CVE numbers: --- kernel (service console) ---
CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164,
CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237,
CVE-2013-2232
--- nss and nspr (service console) ---
CVE-2013-0791, CVE-2013-1620
- -------------------------------------------------------------------------
1. Summary
VMware has updated several third party libraries in ESX that address
multiple security vulnerabilities.
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
3. Problem Description
a. Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple
security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234,
CVE-2013-2237, CVE-2013-2232 to these issues.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312401-SG
ESX 4.0 ESX patch pending
b. Update to ESX service console NSPR and NSS
This patch updates the ESX service console Netscape Portable
Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve
multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2013-0791 and CVE-2013-1620 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312403-SG
ESX 4.0 ESX patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESX 4.1
-------
File: ESX410-201312001.zip
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG.
5. References
--- kernel (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232
--- NSPR and NSS (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
- -------------------------------------------------------------------------
6. Change log
2013-12-05 VMSA-2013-0015
Initial security advisory in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- -------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUEEACgkQDEcm8Vbi9kMhDACfV3FNa6tlAK39I+nriVr462NJ
TtwAnRcl4PAICCPknirkUT804VlueHwZ
=cimI
-----END PGP SIGNATURE-----
All posts by 007admin
WatchGuard Named as Most Influential Brand of 2013 in Survey of IT Operation and Maintenance Magazine Readers
Small and medium businesses recognize WatchGuard’s pricing, features and ease of use with award
UK's Chester Zoo Uses WatchGuard Technologies' Integrated Security Platforms to Protect Critical IT Infrastructure
Intrusion detection and prevention, and application control, add new level of security and reporting at zoo
[BSA-089] Security update for nbd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wouter Verhelst uploaded new packages for nbd which fixed the following security problems: CVE-2013-6410 Incorrect parsing of the access control lists For the squeeze-backports distribution the problem has been fixed in version 1:3.2-4~deb7u4~bpo60+1 nbd is not present in any other backports repository. - -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not go to space today. -- http://xkcd.com/1133/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJSn1DVAAoJEMKUD5Ub3wqd2iYP/i2eHcfBjLuaba7YYCJHXOsr npcNAZhl4eNaarp7Q5FcFT7Z3VXkjRRC40I/TgAMHofY13z1UjYWS8DpWJjmLaVZ D4EbnxZk/6fgfeNOLnjakzMMFD8mbgXgN3a9l6TaRc0u7tM/GwmwdxXK18vw2tic NdrI52H5FfHUKwCYduQyKvwpOLMdoxCMPv7KqQQFwHRfzv3aR4fR+5wjagZdMdwN K6tfusR9Wgeq8U3Dm4TRQ+9Nmoc0ZgjHl8YkvV5+Rlw56c66ptpwYQOHyO258SKF 4LvpmFRpNU
WatchGuard Technologies Protects More Than 15,000 Media Attendees at the Tokyo Motor Show
For the fourth consecutive show, images, video and content will be protected from security threats
Stay Safe While Shopping Online This Holiday Season With These Five Cyber Security Tips
The evolution of online threats has left shoppers more vulnerable than ever to cyber scams
WatchGuard Technologies Offers Insight Into Need for Information Security Visibility
Video presentation with Frost & Sullivan offers deep look at research showing the need for visibility into information security systems
[ANNOUNCEMENT] Apache HTTP Server (httpd) 2.4.7 Released
Apache HTTP Server 2.4.7 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.7 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a feature and bug fix release.
Also in this release are some exciting new features including:
*) Major updates to mod_proxy_fcgi
*) Higher performant event MPM
*) Enhancements to the WinNT MPM
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
NOTE: With this release, the Event MPM checks for acceptable use
of atomic operations. If the Event MPM no longer works on
your platform, be sure to contact [email protected].
Apache HTTP Server 2.4.7 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.7 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
CVE-2013-6375 (opensuse, xen)
Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an “inverted boolean parameter.”
CVE-2013-4589 (fedora, graphicsmagick, suse_linux_enterprise_debuginfo, suse_linux_enterprise_software_development_kit, suse_studio_onsite)
The ExportAlphaQuantumType function in export.c in GraphicsMagick before 1.3.18 might allow remote attackers to cause a denial of service (crash) via vectors related to exporting the alpha of an 8-bit RGBA image.