VMware ESX Server 3.5, Patch ESX350-200803214-UG: Security Update for the e2fsprogs, libxml, net-snmp, and pcre packages (1003721)
Release Date: 10 APR 2008
This bundle provides security updates to the e2fsprogs, libxml, net-snmp, and pcre packages used in the ESX Server service console.
The patch fixes the following security issues:
- Service console updates for the e2fsprogs package to address multiple integer overflow flaws.
Thanks to Rafal Wojtczuk of McAfee Avert Research for identifying and reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-5497 to this issue.
- The libxml2 packages provide a library to manipulate XML files. The package includes support to read, modify, and write XML files. A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-6284 to this issue.
- A flaw was discovered in the way net-snmp handled certain requests. A remote attacker who can connect to the snmpd UDP port could send a malicious packet causing snmpd to crash, resulting in a denial of service.”
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-5846 to this issue.
- An integer overflow issue with the way Python's Perl-Compatible Regular Expression (PCRE) module handles certain regular expressions. If a Python application uses the PCRE module to compile and execute untrusted regular expressions, it might be possible to cause the application to crash, or to execute arbitrary code with the privileges of the Python interpreter.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-1660 and CVE-2006-7228 to this issue.
There are no symptoms available for the updates provided by this patch.
Patch Download and Installation
For information on using VMware Update Manager to automatically update ESX Server 3.5 hosts see the VMware Update Manager Administration Guide for instructions on using Update Manager to download and install patches.
To update ESX Server 3.5 hosts when not using Update Manager, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install the bundle using the the esxupdate tool from the command line of the host. For more information on using esxupdate to manage patches on ESX Server 3.5 hosts, see the ESX Server 3 Patch Management Guide.