- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0009
Synopsis: ESX Service Console updates for udev, sudo, and curl
Issue date: 2009-07-10
Updated on: 2009-07-10 (initial release of advisory)
CVE numbers: CVE-2009-1185 CVE-2009-0034 CVE-2009-0037
- ------------------------------------------------------------------------
1. Summary
Update for Service Console packages udev,sudo, and curl
2. Relevant releases
VMware ESX 4.0.0 without bulletin ESX400-200906411-SG,
ESX400-200906406-SG, ESX400-200906407-SG.
3. Problem Description
a. Service Console package udev
A vulnerability in the udev program did not verify whether a NETLINK
message originates from kernel space, which allows local users to
gain privileges by sending a NETLINK message from user space.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1185 to this issue.
Please see http://kb.vmware.com/kb/1011786 for details.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200906411-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX not affected
ESX 2.5.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
.............
.............
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX 4.0
-------
ESX400-200906001
http://tinyurl.com/ncfu5s
md5sum:cab549922f3429b236633c0e81351cde
sha1sum:aff76554ec5ee3c915eb4eac02e62c131163059a
Note: ESX400-200906001 contains the following security fixes
ESX400-200906411-SG, ESX400-200906406-SG, ESX400-200906405-SG,
ESX400-200906407-SG.
To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle ESX400-200906001.zip -b ESX400-200906411-SG \
-b ESX400-200906406-SG -b ESX400-200906405-SG -b \
ESX400-200906407-SG update
Via >> http://lists.vmware.com/pipermail/security-announce/2009/000060.html