[Vmware-package-maintainers] Bug#486177: vmware-package: multiple security issues
Thomas Bläsing
thomasbl at pool.math.tu-berlin.de
Sat Jun 14 03:01:29 UTC 2008
Package: vmware-package
Version: 0.22
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for vmware-package.
CVE-2008-1392[0]:
| The default configuration of VMware Workstation 6.0.2, VMware Player
| 2.0.x before 2.0.3, and VMware ACE 2.0.x before 2.0.1 makes the
| console of the guest OS accessible through anonymous VIX API calls,
| which has unknown impact and attack vectors.
CVE-2008-1364[1]:
| Unspecified vulnerability in the DHCP service in VMware Workstation
| 5.5.x before 5.5.6, VMware Player 1.0.x before 1.0.6, VMware ACE 1.0.x
| before 1.0.5, VMware Server 1.0.x before 1.0.5, and VMware Fusion
| 1.1.x before 1.1.1 allows attackers to cause a denial of service.
CVE-2008-1340[2]:
| Virtual Machine Communication Interface (VMCI) in VMware Workstation
| 6.0.x before 6.0.3, VMware Player 2.0.x before 2.0.3, and VMware ACE
| 2.0.x before 2.0.1 allows attackers to cause a denial of service (host
| OS crash) via crafted VMCI calls that trigger "memory exhaustion and
| memory corruption."
CVE-2007-5619[3]:
| Unspecified vulnerability in VMware Server before 1.0.4 causes user
| passwords to be recorded in cleartext in server logs, which might
| allow local users go gain privileges.
CVE-2007-5617[4]:
| Unspecified vulnerability in VMware Player 1.0.x before 1.0.5 and 2.0
| before 2.0.1, and Workstation 5.x before 5.5.5 and 6.x before 6.0.1,
| prevents it from launching, which has unspecified impact, related to
| untrusted virtual machine images.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1392
http://security-tracker.debian.net/tracker/CVE-2008-1392
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
http://security-tracker.debian.net/tracker/CVE-2008-1364
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340
http://security-tracker.debian.net/tracker/CVE-2008-1340
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5619
http://security-tracker.debian.net/tracker/CVE-2007-5619
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5617
http://security-tracker.debian.net/tracker/CVE-2007-5617
As mentioned in bug #484491, I think you just need to update the hashes
for the tarballs to fix this bug :)
Kind regards,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/vmware-package-maintainers/attachments/20080614/c6ebb106/attachment.pgp
More information about the Vmware-package-maintainers
mailing list