1 |
ackle 12/09/29 13:14:04 |
2 |
|
3 |
Added: glsa-201209-25.xml |
4 |
Log: |
5 |
GLSA 201209-25 |
6 |
|
7 |
Revision Changes Path |
8 |
1.1 xml/htdocs/security/en/glsa/glsa-201209-25.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201209-25.xml?rev=1.1&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201209-25.xml?rev=1.1&content-type=text/plain |
12 |
|
13 |
Index: glsa-201209-25.xml |
14 |
=================================================================== |
15 |
<?xml version="1.0" encoding="UTF-8"?> |
16 |
<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> |
17 |
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> |
18 |
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
19 |
<glsa id="201209-25"> |
20 |
<title>VMware Player, Server, Workstation: Multiple vulnerabilities</title> |
21 |
<synopsis>Multiple vulnerabilities have been found in VMware Player, Server, |
22 |
and Workstation, allowing remote and local attackers to conduct several |
23 |
attacks, including privilege escalation, remote execution of arbitrary |
24 |
code, and a Denial of Service. |
25 |
</synopsis> |
26 |
<product type="ebuild">vmware-server vmware-player vmware-workstation</product> |
27 |
<announced>September 29, 2012</announced> |
28 |
<revised>September 29, 2012: 2</revised> |
29 |
<bug>213548</bug> |
30 |
<bug>224637</bug> |
31 |
<bug>236167</bug> |
32 |
<bug>245941</bug> |
33 |
<bug>265139</bug> |
34 |
<bug>282213</bug> |
35 |
<bug>297367</bug> |
36 |
<bug>335866</bug> |
37 |
<bug>385727</bug> |
38 |
<access>local, remote</access> |
39 |
<affected> |
40 |
<package name="app-emulation/vmware-player" auto="yes" arch="*"> |
41 |
<vulnerable range="le">2.5.5.328052</vulnerable> |
42 |
</package> |
43 |
<package name="app-emulation/vmware-workstation" auto="yes" arch="*"> |
44 |
<vulnerable range="le">6.5.5.328052</vulnerable> |
45 |
</package> |
46 |
<package name="app-emulation/vmware-server" auto="yes" arch="*"> |
47 |
<vulnerable range="le">1.0.9.156507</vulnerable> |
48 |
</package> |
49 |
</affected> |
50 |
<background> |
51 |
<p>VMware Player, Server, and Workstation allow emulation of a complete PC |
52 |
on a PC without the usual performance overhead of most emulators. |
53 |
</p> |
54 |
</background> |
55 |
<description> |
56 |
<p>Multiple vulnerabilities have been discovered in VMware Player, Server, |
57 |
and Workstation. Please review the CVE identifiers referenced below for |
58 |
details. |
59 |
</p> |
60 |
</description> |
61 |
<impact type="high"> |
62 |
<p>Local users may be able to gain escalated privileges, cause a Denial of |
63 |
Service, or gain sensitive information. |
64 |
</p> |
65 |
|
66 |
<p>A remote attacker could entice a user to open a specially crafted file, |
67 |
possibly resulting in the remote execution of arbitrary code, or a Denial |
68 |
of Service. Remote attackers also may be able to spoof DNS traffic, read |
69 |
arbitrary files, or inject arbitrary web script to the VMware Server |
70 |
Console. |
71 |
</p> |
72 |
|
73 |
<p>Furthermore, guest OS users may be able to execute arbitrary code on the |
74 |
host OS, gain escalated privileges on the guest OS, or cause a Denial of |
75 |
Service (crash the host OS). |
76 |
</p> |
77 |
</impact> |
78 |
<workaround> |
79 |
<p>There is no known workaround at this time.</p> |
80 |
</workaround> |
81 |
<resolution> |
82 |
<p>Gentoo discontinued support for VMware Player. We recommend that users |
83 |
unmerge VMware Player: |
84 |
</p> |
85 |
|
86 |
<code> |
87 |
# emerge --unmerge "app-emulation/vmware-player" |
88 |
</code> |
89 |
|
90 |
<p>NOTE: Users could upgrade to |
91 |
“>=app-emulation/vmware-player-3.1.5”, however these packages are |
92 |
not currently stable. |
93 |
</p> |
94 |
|
95 |
<p>Gentoo discontinued support for VMware Workstation. We recommend that |
96 |
users unmerge VMware Workstation: |
97 |
</p> |
98 |
|
99 |
<code> |
100 |
# emerge --unmerge "app-emulation/vmware-workstation" |
101 |
</code> |
102 |
|
103 |
<p>NOTE: Users could upgrade to |
104 |
“>=app-emulation/vmware-workstation-7.1.5”, however these packages |
105 |
are not currently stable. |
106 |
</p> |
107 |
|
108 |
<p>Gentoo discontinued support for VMware Server. We recommend that users |
109 |
unmerge VMware Server: |
110 |
</p> |
111 |
|
112 |
<code> |
113 |
# emerge --unmerge "app-emulation/vmware-server" |
114 |
</code> |
115 |
</resolution> |
116 |
<references> |
117 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5269">CVE-2007-5269</uri> |
118 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5503 "> |
119 |
CVE-2007-5503 |
120 |
</uri> |
121 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5671 "> |
122 |
CVE-2007-5671 |
123 |
</uri> |
124 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0967 "> |
125 |
CVE-2008-0967 |
126 |
</uri> |
127 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1340 "> |
128 |
CVE-2008-1340 |
129 |
</uri> |
130 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1361 "> |
131 |
CVE-2008-1361 |
132 |
</uri> |
133 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1362 "> |
134 |
CVE-2008-1362 |
135 |
</uri> |
136 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1363 "> |
137 |
CVE-2008-1363 |
138 |
</uri> |
139 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1364 "> |
140 |
CVE-2008-1364 |
141 |
</uri> |
142 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1392 "> |
143 |
CVE-2008-1392 |
144 |
</uri> |
145 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447 "> |
146 |
CVE-2008-1447 |
147 |
</uri> |
148 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1806 "> |
149 |
CVE-2008-1806 |
150 |
</uri> |
151 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1807 "> |
152 |
CVE-2008-1807 |
153 |
</uri> |
154 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1808 "> |
155 |
CVE-2008-1808 |
156 |
</uri> |
157 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098 "> |
158 |
CVE-2008-2098 |
159 |
</uri> |
160 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2100 "> |
161 |
CVE-2008-2100 |
162 |
</uri> |
163 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2101 "> |
164 |
CVE-2008-2101 |
165 |
</uri> |
166 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4915 "> |
167 |
CVE-2008-4915 |
168 |
</uri> |
169 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4916 "> |
170 |
CVE-2008-4916 |
171 |
</uri> |
172 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4917 "> |
173 |
CVE-2008-4917 |
174 |
</uri> |
175 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040 "> |
176 |
CVE-2009-0040 |
177 |
</uri> |
178 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0909 "> |
179 |
CVE-2009-0909 |
180 |
</uri> |
181 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0910 "> |
182 |
CVE-2009-0910 |
183 |
</uri> |
184 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1244">CVE-2009-1244</uri> |
185 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2267 "> |
186 |
CVE-2009-2267 |
187 |
</uri> |
188 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3707 "> |
189 |
CVE-2009-3707 |
190 |
</uri> |
191 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3732 "> |
192 |
CVE-2009-3732 |
193 |
</uri> |
194 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3733 "> |
195 |
CVE-2009-3733 |
196 |
</uri> |
197 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4811 "> |
198 |
CVE-2009-4811 |
199 |
</uri> |
200 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1137 "> |
201 |
CVE-2010-1137 |
202 |
</uri> |
203 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1138 "> |
204 |
CVE-2010-1138 |
205 |
</uri> |
206 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1139 "> |
207 |
CVE-2010-1139 |
208 |
</uri> |
209 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1140 "> |
210 |
CVE-2010-1140 |
211 |
</uri> |
212 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1141 "> |
213 |
CVE-2010-1141 |
214 |
</uri> |
215 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1142 "> |
216 |
CVE-2010-1142 |
217 |
</uri> |
218 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1143 "> |
219 |
CVE-2010-1143 |
220 |
</uri> |
221 |
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3868">CVE-2011-3868</uri> |
222 |
</references> |
223 |
<metadata tag="requester" timestamp="Fri, 07 Oct 2011 23:37:01 +0000">system</metadata> |
224 |
<metadata tag="submitter" timestamp="Sat, 29 Sep 2012 13:12:45 +0000">ackle</metadata> |
225 |
</glsa> |