VMware ESX Server 3.5, Patch ESX350-200802408-SG: Security Updates to the Python Package (1003451)
Release Date: 3/10/2008
Document Last Updated: 3/10/2008
Download Size: 4MB
Summaries and Symptoms
This patch provides service console updates for the Python package. The patch fixes the following security issues:
An integer overflow issue with the way Python's Perl Compatible Regular Expression (PCRE) module handles certain regular expressions. If a Python application uses the PCRE module to compile and execute untrusted regular expressions, it might be possible to cause the application to crash, or to execute arbitrary code with the privileges of the Python interpreter.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-7228 to this issue.
A flaw in Python's locale module where strings generated by the strxfrm() function are not properly NULL-terminated. This might result in disclosure of data stored in the memory of a Python application using the strxfrm() function.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2052 to this issue.
Multiple integer overflow flaws in Python's imageop module that can allow an attacker to cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the Python interpreter.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4965 to this issue.
Patch bundle ESX350-200802403-BG must be installed prior to installing this patch. The esxupdate utility will check to ensure that ESX350-200802403-BG is installed before proceeding with installation of this patch.
Patch Download and Installation
To automatically download and install patches on your ESX Server 3.5 hosts, use the VMware Update Manager. For more information, see the Update Manager Administration Guide at http://www.vmware.com/pdf/vi3_vum_10_admin_guide.pdf.
To update ESX Server 3.5 hosts from the command line of the service console, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install it using the esxupdate utility. For more information about using esxupdate, see the ESX Server 3 Patch Management Guide at http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_esxupdate.pdf.