Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

VMware ESX Server 3.5, Patch ESX350-200802408-SG: Security Updates to the Python Package (1003451)

Details

Release Date: 3/10/2008
Document Last Updated: 3/10/2008

Download Size: 4MB
Download Filename:
ESX350-200802408-SG.zip
md5sum:
bc3e64627a6f223f0fae837233df5d0d
Product Versions ESX Server 3.5.0
Patch Classification Security
Supersedes None
Dependencies ESX350-200802403-BG
Virtual Machine Migration or Reboot Required No
ESX Server Host Reboot Required No
PRs Fixed 224018
Affected Hardware N/A
Affected Software Unknown
RPMs Included python-2.2.3-6.8
Related CVE numbers CVE-2006-7228, CVE-2007-2052, CVE-2007-4965

Solution

Summaries and Symptoms

This patch provides service console updates for the Python package. The patch fixes the following security issues:

  • An integer overflow issue with the way Python's Perl Compatible Regular Expression (PCRE) module handles certain regular expressions. If a Python application uses the PCRE module to compile and execute untrusted regular expressions, it might be possible to cause the application to crash, or to execute arbitrary code with the privileges of the Python interpreter.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-7228 to this issue.

  • A flaw in Python's locale module where strings generated by the strxfrm() function are not properly NULL-terminated. This might result in disclosure of data stored in the memory of a Python application using the strxfrm() function.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2052 to this issue.

  • Multiple integer overflow flaws in Python's imageop module that can allow an attacker to cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the Python interpreter.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4965 to this issue.

 

Deployment Considerations

Patch bundle ESX350-200802403-BG must be installed prior to installing this patch. The esxupdate utility will check to ensure that ESX350-200802403-BG is installed before proceeding with installation of this patch.

Patch Download and Installation

To automatically download and install patches on your ESX Server 3.5 hosts, use the VMware Update Manager. For more information, see the Update Manager Administration Guide at http://www.vmware.com/pdf/vi3_vum_10_admin_guide.pdf.

To update ESX Server 3.5 hosts from the command line of the service console, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install it using the esxupdate utility. For more information about using esxupdate, see the ESX Server 3 Patch Management Guide at http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_esxupdate.pdf.

Keywords

alertz

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: