Knowledge Base

Summaries and Symptoms

This patch provides the following security and bug fixes:

• Updated packages are available for glib2, dbus, dbus-libs, device-mapper-multipath, kpartx, and ed.
  
  
  • glib2 updated to glib2-2.12.3-4.el5_3.1. Diego Petteno discovered multiple integer overflows that cause heap-based buffer overflows in GLib's Base64 encoding and decoding functions. An attacker could use these flaws to cause an application to fail by using GLib's Base64 functions to encode or decode large, untrusted inputs, or, possibly, run arbitrary code as the user running the application. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4316 to this issue.
    
  • dbus updated to dbus-1.1.2-12.el5 and dbus-libs updated to dbus-libs-1.1.2-12.el5. In certain cases, if a process is listening for D-Bus messages in one thread, and at the same time is sending messages to the D-Bus daemon from another thread, the process might stop responding. To resolve this issue, the update fixes incorrect locking of POSIX threads (pthreads) and clean-up issues in the D-Bus libraries. The system bus now supports starting services on demand in the same manner as the session bus already does. This allows privileged services to start only when they are needed, and stop when they are finished processing their requests, making more efficient use of system resources.
    
  • device-mapper-multipath package and kpartx updated to device-mapper-multipath-0.4.7-23.el5_3.4 and kpartx-0.4.7-23.el5_3.4 respectively. These updated device-mapper-multipath packages fix the following bugs:
    • A race condition that exists in the shutdown code for the multipathd might cause a lock to be destroyed while some threads are still using the thread. This could cause the machine to become unresponsive when multipathd shuts down. The multipathd daemon now waits for all threads to finish using the lock before destroying it, thus removing the race and resolving the issue.
    • When you add a new multipath-capable block device, a race condition occurs between the multipathd daemon and udev to multipath the new device. If udev, through multipath, updated the multipath devices first, then the multipathd daemon would not use the device-specific configurations for the device when it started monitoring the path. With this update, multipathd now correctly configures the device, even when udev notices it first, thus resolving the issue.
  • ed package updated to ed-0.2-39.el5_2. A heap-based buffer overflow was discovered in the way ed, the GNU line editor, processed long file names. An attacker could create a file with a specially crafted name that could possibly execute an arbitrary code when opened in the ed editor. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3916 to this issue.

• Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively to fix several security issues in the packages.
  
  The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, and CVE-2009-3382 to these issues.
   
• OpenSSH packages updated to openssh-4.3p2-36.el5_4.2, openssh-clients-4.3p2-36.el5_4.2 and openssh-server-4.3p2-36.el5_4.2. These packages include the core files necessary for both the OpenSSH client and server.
  
  A Red Hat patch used in the OpenSSH packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) modified certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2904 to this issue.
   
• Newt packages updated to newt-0.52.2-12.el5_4.1. This fixes the following issue:
  
  A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially-crafted text dialog box display request (direct or through a custom application), leading to a denial of service (application failure) or, potentially, arbitrary code execution with the privileges of the user running the application that is using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue.
  
• The nfs-utils package updated to nfs-utils-1.0.9-42.el5. This fixes the following issue:
  
  It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in /etc/hosts.allow and /etc/hosts.deny may not have been honored, possibly allowing remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4552 to this issue.
   
• kernel packages updated to kernel-2.6.18-164.9.1.el5. This fixes the following issues:
  
  

  • NULL pointer dereference flaws in the r128 driver. Checks to test if the Concurrent Command Engine state was initialized were missing in private IOCTL functions. An attacker could use these flaws to cause a local denial of service or escalate their privileges. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3620 to this issue.
    
  • A NULL pointer dereference flaw in the NFSv4 implementation. Several NFSv4 file locking functions failed to check whether a file had been opened on the server before performing locking operations on it. A local user on a system with an NFSv4 share mounted could possibly use this flaw to cause a denial of service or escalate their privileges. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3726 to this issue.
    
  • A flaw in tcf_fill_node(). A certain data structure in this function is not initialized properly before being copied to user-space. This could lead to an information leak. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3612 to this issue.
    
  • A flaw in unix_stream_connect(). The function did not check if a UNIX domain socket was in the shutdown state. This could lead to a deadlock. A local, unprivileged user could use this flaw to cause a denial of service. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3621 to this issue.
    

• OpenSSL packages updated to openssl-0.9.8e-12.el5. This fixes the following issues:

  Multiple denial-of-service flaws were discovered in OpenSSL's DTLS implementation. A remote attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or stop on an invalid memory access or NULL pointer dereference. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, and CVE-2009-1387 to this issue.
  
  Note: These flaws only affect applications that use DTLS. VMware does not ship any DTLS client or server applications.
  
  An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially-crafted X.509 certificate that could cause applications using the affected function to fail when printing certificate contents. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0590 to this issue.
  
  Note: The affected function is rarely used. No application shipped by VMware calls this function.
  
  

• ntp package is updated to ntp-4.2.0.a.20040617-8.el4_8.1. This fixes the following issue:
  
  Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers through a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages.
  
  The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3563 to this issue.

• Expat packages updated to expat-1.95.8-8.3.el5_4.2. This update fixes the following issues:
  
  Two buffer over-read flaws were found in the way Expat handled malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause applications using Expat to fail while parsing the file. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-3560 and CVE-2009-3720 to this issue.

• BIND packages updated to bind-libs-9.3.6-4.P1.el5_4.1 and bind-utils-9.3.6-4.P1.el5_4.1.
  
  Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested
  DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving
  such client queries. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-4022 to this issue.

Deployment Considerations

For vMA 4.0, no patch bundles are available for manual download. The depot location of metadata has been preconfigured in the /etc/vmware/esxupdate/vimaupdate.conf file so that users can apply the vMA 4.0 patch when it is generally available.

Download and Installation

To apply the patch to vMA 4.0 GA (build 161993), perform the following steps:

1. Open the /etc/vmware/esxupdate/vimaupdate.conf file by running the following command:

   # sudo vi /etc/vmware/esxupdate/vimaupdate.conf

2. Edit the following proxy settings to set the appropriate values.

   proxy = <your_company_proxy>

   proxyport = <your_company_proxy_port_number>

3. Scan the depot for applicable bulletins by running the following command:

   # sudo vima-update scan

   The applicable bulletins with updates are listed as shown in the example:

   ---Bulletin ID--- ---Date--- ---------------Summary---------------

   VIMA400-200906001 2009-07-13 Security Patch for Red Hat RPMs.
VIMA400-200911002 2009-11-23 Security update for vMA (KB1014689)
VIMA400-201002201 2010-02-24 Security update for vMA (KB1017122)

4. Apply the patch by running one of the following commands. Note that you need to specify the update option and the bulletin ID as shown in the example:

   # sudo vima-update update

   or

   # sudo vima-update –b VIMA400-201002201 update

For more information on how to use vima-update, see the vSphere Management Assistant Guide.