Knowledge Base

Summaries and Symptoms

• 407023
  krb5-libs is updated to krb5-libs-1.6.1-31.el5_3.3 and the krb5-workstation package is updated to krb5-workstation-1.6.1-31.el5_3.3. This fixes an input validation flaw that was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. The Common Vulnerabilities and Exposures Project has assigned the name CVE-2009-0846 to this issue.
  Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. The Common Vulnerabilities and Exposures Project has assigned the names CVE-2009-0844, CVE-2009-0845 to this issue.
  The pam_krb5 package is also upgraded to pam_krb5-2.2.14-10. This fixes an issue where a user authentication failure occurs under certain circumstances.
• 407025
  The userspace device management (udev) program is updated to udev-095-14.20.el5_3. The udev program earlier than 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1185 to this issue.
• 407027
  sudo is updated to sudo-1.6.9p17-3.el5_3.1. This fixes the following issue:
  Sudo versions 1.6.9p17 through 1.6.9p19 do not properly interpret a system group in the sudoers file during authorization decisions for a user who belongs to that group. Local users might be able to leverage an applicable sudoers file and gain root privileges by using a sudo command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0034 to this issue.
• curl is updated to curl-7.15.5-2.1.el5_3.4. This fixes the following issue:
  The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to trigger arbitrary requests to intranet servers, read or overwrite arbitrary files by using a redirect to a file URL, or execute arbitrary commands by using a redirect to an scp URL. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0037 to this issue.

Deployment Considerations

For vMA 4.0, there is no patch bundle available for manual download. The depot location of metadata has been preconfigured in the /etc/vmware/esxupdate/vimaupdate.conf file so that users can apply the vMA 4.0 patch when it is generally available. See the following section for installation instructions.

Download and Installation

To apply the patch to vMA4.0 GA (build# 161993), perform the following steps:

1. Open the /etc/vmware/esxupdate/vimaupdate.conf file by using the following command:

# sudo vi /etc/vmware/esxupdate/vimaupdate.conf

2. Edit the following proxy settings to set the appropriate values.

proxy = <your_company_proxy>

proxyport = <your_company_proxy_port_number>

3. Scan the depot for applicable bulletins by using the following command:

# sudo vima-update scan

The applicable bulletins with updates are listed as shown in the following example:

---Bulletin ID--- ---Date--- ---------------Summary---------------

VIMA400-200906001 2009-05-29 VIMA Security Patch for Red Hat RPMs.

4. Apply the patch using one of the following commands. Note that you need to specify the update option and the Bulletin ID as shown in the following example:

# sudo vima-update update

or

# sudo vima-update –b VIMA400-200906001 update

 

For more information on how to use vima-update, see the vSphere Management Assistant Guide at http://www.vmware.com/support/developer/vima/vima40/doc/vma_40_guide.pdf.