Knowledge Base

Summaries and Symptoms

This patch provides the following security and bug fixes:

• JRE package updated to jre-1.5.0_21-fcs
  

  JDK 5.0 Update 21 addresses non-security issues and includes fixes for previously addressed non-security and security issues. Details of these fixes are available from the Sun Web site at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html.

• NTP package updated to ntp-4.2.2p1-9.el5_3.2
  

  The updated NTP package fixes a buffer overflow flaw found in the ntpq diagnostic command that might allow a reply to an ntpq request from a malicious user that causes ntpq to fail. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0159 to this issue.
  This fixes a buffer overflow flaw in the ntpd daemon NTPv4 authentication code where if ntpd is configured to use public key cryptography for NTP packet authentication, a remote attack from a malicious user with a modified request packet might cause ntpq to fail.

  The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue.

• Kernel package updated to kernel-2.6.18-164.el5

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028, CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676, CVE-2009-0778 to the security issues fixed in kernel 2.6.18-128.1.6.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337, CVE-2009-0787, CVE-2009-1336 to the security issues fixed in kernel 2.6.18-128.1.10.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072, CVE-2009-1630, CVE-2009-1192 to the security issues fixed in kernel 2.6.18-128.1.14.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the security issues fixed in kernel 2.6.18-128.4.1.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2692, CVE-2009-2698 to the security issues fixed in kernel 2.6.18-128.7.1.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-2847, CVE-2009-2848, to the security issues fixed in kernel 2.6.18-164.
  

• Update for vmware-vsphere-cli-4.0.0
  

  The vihostupdate command allows you to specify multiple comma-separated bulletins when you use the --bundle option. You can use this option when you install multiple bulletins from VMware and a VMware partner. For more information on this command, see the vSphere Command-Line Interface Documentation at http://www.vmware.com/support/developer/vcli/.

• Net-SNMP packages updated to net-snmp-5.3.2.2-7.el5_4.2, net-snmp-utils-5.3.2.2-7.el5_4.2, and net-snmp-libs-5.3.2.2-7.el5_4.2
  

  This update provides a fix for a memory leak issue in the SNMP daemon and a few other fixes. Please see http://rhn.redhat.com/errata/RHBA-2009-1437.html for details.

• libxml2 packages updated to libxml2-2.6.26-2.1.2.8, and libxml2-python-2.6.26-2.1.2.8
  

  This update resolves a stack overflow flaw found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially crafted XML file, which if opened by a local user, would lead to denial of service.
  
  This update resolves multiple use-after-free flaws found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially-crafted XML file, which if opened by a local user, would lead to denial of service.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2414 and CVE-2009-2416 to these issues.

• curl package updated to curl-7.15.5-2.1.el5_3.5
  

  A curl is affected by the previously published null prefix attack, caused by incorrect handling of NULL characters.
  
  If an attacker is able to get a carefully crafted certificate signed by a trusted certificate authority, the attacker could use the certificate during a man-in-the-middle attack and potentially cause curl to accept it by mistake.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2417 to this issue.

• GnuTLS package updated to gnutls-1.4.1-3.el5_3.5
  

  This update includes GnuTLS packages that fix a security issue. GnuTLS is vulnerable to a "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. A malicious user might be able to use a signed certificate in a man-in-the-middle attack and potentially confuse GnuTLS into accepting it. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2730 to this issue.

• Python package updated to python-2.4.3-24.el5_3.6
  

  When the assert() system call was disabled, an input sanitization flaw in the Python string object implementation led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges.
  
  Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service.
  
  Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, fail, or potentially, execute arbitrary code with the Python interpreter's privileges.
  
  Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption).
  
  Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service.
  
  An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested that the negative byte count be flushed for a decompression stream, it could cause the application to fail, or potentially, execute arbitrary code with the Python interpreter's privileges.
  
  A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2052, CVE-2007-4965, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144, CVE-2008-4864, CVE-2008-5031 to these issues.

• BIND packages updated to bind-utils-9.3.6-4.P1.el5 and bind-libs-9.3.6-4.P1
  

  This fix includes updated BIND packages that fix a security issue. This fixes an error found when BIND handles dynamic update message packets containing the ANY record type, which might allow remote attackers to cause a denial of service assertion failure and daemon exit by using an ANY record in the prerequisite section of a crafted dynamic update message. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0696 to this issue.

• Updates to vmware-vima-4.0.0 and vmware-esx-vima-update-4.0.0
  

  These updates contain fixes for reboot notification when the kernel RPM is updated, restoring network setting after a reboot, and updating the PATH variable for the updated jre directory.

Deployment Considerations

For vMA 4.0, there is no patch bundle available for manual download. The depot location of metadata has been preconfigured in the /etc/vmware/esxupdate/vimaupdate.conf file so that users can apply the vMA 4.0 patch when it is generally available.

Download and Installation

To apply the patch to vMA 4.0 GA (build 161993), perform the following steps:

1. Open the /etc/vmware/esxupdate/vimaupdate.conf file by running the following command:

   # sudo vi /etc/vmware/esxupdate/vimaupdate.conf

2. Edit the following proxy settings to set the appropriate values.

   proxy = <your_company_proxy>

   proxyport = <your_company_proxy_port_number>

3. Scan the depot for applicable bulletins by running the following command:

   # sudo vima-update scan

   The applicable bulletins with updates are listed as shown in the following example:

   ---Bulletin ID--- ---Date--- ---------------Summary---------------

   VIMA400-200906001 2009-07-13 Security Patch for Red Hat RPMs.
VIMA400-200911002 2009-11-23 Security update for vMA (KB1014689)

4. Apply the patch using one of the following commands. Note that you need to specify the update option and the Bulletin ID as shown in the following example:

   # sudo vima-update update

   or

   # sudo vima-update –b VIMA400-200906001 update

For more information on how to use vima-update, see the vSphere Management Assistant Guide.