The OVAL Repository5.72014-01-03T07:37:12.560-05:00VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesApache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.Merryl DMelloDRAFTINTERIMINTERIMVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesCertain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.Merryl DMelloDRAFTINTERIMINTERIMVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesApache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.Merryl DMelloDRAFTINTERIMINTERIMVMware kernel skfp_ioctl function vulnerabilityVMWare ESX Server 4The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an "inverted logic" issue.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ntpd stack-based buffer overflow vulnerabilityVMWare ESX Server 4Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware Network Security Services (NSS) heap-based buffer overflow vulnerabilityVMWare ESX Server 4Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel NULL pointer dereference vulnerabilityVMWare ESX Server 4The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel fs/ext2/dir.c fs/ext3/dir.c and possibly fs/ext4/dir.c vulnerabilityVMWare ESX Server 4The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware libxml2 stack consumption vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel ptrace_start function vulnerabilityVMWare ESX Server 4The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python PyString_FromStringAndSize function vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel sock_getsockopt function vulnerabilityVMWare ESX Server 4The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel libata vulnerabilityVMWare ESX Server 4libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel execve function vulnerabilityVMWare ESX Server 4The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware Network Security Services (NSS) certificate spoofing vulnerability by using MD2 design flawVMWare ESX Server 4The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel cifs buffer overflow vulnerabilityVMWare ESX Server 4Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel ext4_isize function vulnerabilityVMWare ESX Server 4The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel udp_sendmsg function vulnerabilityVMWare ESX Server 4The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDBuffer overflow vulnerability in newtVMWare ESX Server 4Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application crash) or possibly execute arbitrary code via a request to display a crafted text dialog box.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel nfs_permission function vulnerabilityVMWare ESX Server 4The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware curl vulnerabilityVMWare ESX Server 4lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel ext4_fill_super function vulnerabilityVMWare ESX Server 4The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel audit_syscall_entry function vulnerabilityVMWare ESX Server 4The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel fs/nfs/client.c vulnerabilityVMWare ESX Server 4fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly initialize a certain structure member that stores the maximum NFS filename length, which allows local users to cause a denial of service (OOPS) via a long filename, related to the encode_lookup function.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python zlib extension module vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python integer overflows vulnerability in the imageop moduleVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware improper setting of the exception code on page faults vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware Network Security Services (NSS) does not properly handle '\0' characterVMWare ESX Server 4Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple buffer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware GnuTLS vulnerabilityVMWare ESX Server 4libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel do_sigaltstack function vulnerabilityVMWare ESX Server 4The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ntpq stack-based buffer overflow vulnerabilityVMWare ESX Server 4Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel nfsd vulnerabilityVMWare ESX Server 4nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware glib2 vulnerabilityVMWare ESX Server 4Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerability in the imageop moduleVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python PyLocale_strxfrm function vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel integer underflow vulnerability in e1000_clean_rx_irq functionVMWare ESX Server 4Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware nfs-utils vulnerabilityVMWare ESX Server 4The good_client function in nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes the hosts_ctl function with the wrong order of arguments, which causes TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel ecryptfs_write_metadata_to_contents function vulnerabilityVMWare ESX Server 4The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel exit_notify function vulnerabilityVMWare ESX Server 4The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel fs/cifs/connect.c buffer overflow vulnerabilityVMWare ESX Server 4Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel parse_tag_11_packet function vulnerabilityVMWare ESX Server 4Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel eCryptfs vulnerabilityVMWare ESX Server 4fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel integer overflow vulnerability in hrtimer_start functionVMWare ESX Server 4Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel RTL8169 NIC driver vulnerabilityVMWare ESX Server 4Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel parse_tag_3_packet function vulnerabilityVMWare ESX Server 4Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel make_indexed_dir function vulnerabilityVMWare ESX Server 4The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel agp subsystem vulnerabilityVMWare ESX Server 4The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel clone system call vulnerabilityVMWare ESX Server 4The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel icmp_send function vulnerabilityVMWare ESX Server 4The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an "rt_cache leak."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel personality subsystem vulnerabilityVMWare ESX Server 4The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware BIND vulnerabilityVMWare ESX Server 4The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware libxml2 use-after-free vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel ext4_group_add function vulnerabilityVMWare ESX Server 4The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel drivers/firmware/dell_rbu.c vulnerabilityVMWare ESX Server 4drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware kernel race condition in the do_setlk function vulnerabilityVMWare ESX Server 4Race condition in the do_setlk function in fs/nfs/file.c in the Linux kernel before 2.6.26 allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerability in the PyOS_vsnprintf functionVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'pipe.c' Local Privilege Escalation VulnerabilityVMWare ESX Server 4Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL 'dtls1_retrieve_buffered_fragment()' DTLS Remote Denial of Service VulnerabilityVMWare ESX Server 4The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSun Java Arbitrary Command Execution in JRE Deployment ToolkitVMWare ESX Server 4The launch method in the Deployment Toolkit plugin in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 6 before Update 17 allows remote attackers to execute arbitrary commands via a crafted web page, aka Bug Id 6869752.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDACPI Event Daemon (acpid) DOS vulnerabilityVMWare ESX Server 4ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 2.4 and 2.6 Local Information Disclosure VulnerabilityVMWare ESX Server 4The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK MessageDigest.isEqual Introduces Timing Attack VulnerabilitiesVMWare ESX Server 4The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK GraphicsConfiguration Information LeakVMWare ESX Server 4Multiple unspecified vulnerabilities in the (1) X11 and (2) Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and attack vectors, related to failure to clone arrays that are returned by the getConfigurations function, aka Bug Id 6822057.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'megaraid_sas' Driver Insecure File Permission Local Privilege Escalation VulnerabilityVMWare ESX Server 4The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDJRE TrueType Font Parsing CrashVMWare ESX Server 4Unspecified vulnerability in the TrueType font parsing functionality in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows remote attackers to cause a denial of service (application crash) via a certain test suite, aka Bug Id 6815780.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux kernel 'O_EXCL' NFSv4 Privilege Escalation VulnerabilityVMWare ESX Server 4NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDISC BIND 9 DNSSEC Query Response Additional Section Remote Cache Poisoning VulnerabilityVMWare ESX Server 4Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDgzip Integer Overflow VulnerabilityVMWare ESX Server 4Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for OpenSSL, GnuTLS, NSS and NSPR.VMWare ESX Server 4The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.VarunDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel IPv6 Hop-By-Hop Header Remote Denial of Service VulnerabilityVMWare ESX Server 4The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL 'ChangeCipherSpec' DTLS Packet Denial of Service VulnerabilityVMWare ESX Server 4ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux e1000 Driver 'Jumbo Frame' Handling Remote Security Bypass VulnerabilityVMWare ESX Server 4drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel Do_Coredump Security Bypass VulnerabilityVMWare ESX Server 4The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel RTL8169 NIC 'RxMaxSize' Frame Size Remote Denial of Service VulnerabilityVMWare ESX Server 4drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK ImageI/O JPEG Heap Overflow VulnerabilityVMWare ESX Server 4Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via large subsample dimensions in a JPEG file that triggers a heap-based buffer overflow, aka Bug Id 6874643.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for perl.VMWare ESX Server 3.5VMWare ESX Server 4The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods."VarunDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK JRE AWT setDifflCM Stack Overflow VulnerabilityVMWare ESX Server 4Stack-based buffer overflow in the setDiffICM function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a crafted argument, aka Bug Id 6872357.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel '/drivers/net/r8169.c' Out-of-IOMMU Error Local Denial of Service VulnerabilityVMWare ESX Server 4The swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'drivers/firewire/ohci.c' NULL Pointer Dereference Denial of Service VulnerabilityVMWare ESX Server 4drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 64-bit Kernel Register Memory Leak Local Information Disclosure VulnerabilityVMWare ESX Server 4arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos AES and RC4 Decryption Integer Underflow VulnerabilitiesVMWare ESX Server 4Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for sudo.VMWare ESX Server 4The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for perl.VMWare ESX Server 3.5VMWare ESX Server 4The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.VarunDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK UI Logging Information LeakageVMWare ESX Server 4The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id 6664512.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK Information Leaks in Mutable VariablesVMWare ESX Server 4Multiple unspecified vulnerabilities in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657026.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDsmbd access control list remote modification vulnerabilityVMWare ESX Server 4The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for OpenLDAP.VMWare ESX Server 4libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.VarunDRAFTINTERIMACCEPTEDACCEPTEDSudo 'sudoedit' Local Privilege Escalation VulnerabilityVMWare ESX Server 4sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL DTLS Packets Multiple Denial of Service VulnerabilitiesVMWare ESX Server 4Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSudo 'runas_default' Local Privilege Escalation VulnerabilityVMWare ESX Server 4sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning VulnerabilityVMWare ESX Server 4ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSamba sharing restriction bypassing vulnerabilityVMWare ESX Server 4Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for krb5.VMWare ESX Server 3.5VMWare ESX Server 4The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.VarunDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'megaraid_sas' Driver Insecure File Permission Local Privilege Escalation VulnerabilityVMWare ESX Server 4The dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for OpenSSL, GnuTLS, NSS and NSPR.VMWare ESX Server 4The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.VarunDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK ASN.1/DER Input Stream Parser Denial of Service via Crafted HTTP HeadersVMWare ESX Server 4Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted HTTP headers, which are not properly parsed by the ASN.1 DER input stream parser, aka Bug Id 6864911.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel with SELinux 'mmap_min_addr' Low Memory NULL Pointer Dereference VulnerabilityVMWare ESX Server 4The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for cpio and tar.VMWare ESX Server 4Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."VarunDRAFTINTERIMACCEPTEDACCEPTEDExpat UTF-8 Character XML Parsing Remote Denial of Service VulnerabilityVMWare ESX Server 4The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation VulnerabilityVMWare ESX Server 4Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK BMP Parsing DoS With UNC ICC LinksVMWare ESX Server 4Sun Java SE 5.0 before Update 22 and 6 before Update 17 on Windows allows remote attackers to cause a denial of service via a BMP file containing a link to a UNC share pathname for an International Color Consortium (ICC) profile file, probably a related issue to CVE-2007-2789, aka Bug Id 6632445.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDsmbd DOS vulnerability via unanticipated oplock break notification reply packetVMWare ESX Server 4smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSamba file permission vulnerabilityVMWare ESX Server 4mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDISC BIND 9 Cache Poisoning VulnerabilityVMWare ESX Server 4ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDpam_krb5 Existing/Non-Existing Username Enumeration WeaknessVMWare ESX Server 4pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDNTP mode 7 MODE_PRIVATE Packet Remote Denial of Service VulnerabilityVMWare ESX Server 4ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'fasync_helper()' Local Privilege Escalation VulnerabilityVMWare ESX Server 4Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel Routing Implementation Multiple Remote Denial of Service VulnerabilitiesVMWare ESX Server 4A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDWindows-based VMware Tools Unsafe Library Loading vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDLinux e1000e Driver 'Jumbo Frame' Handling Remote Security Bypass VulnerabilityVMWare ESX Server 4drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Multiple VulnerabilitiesVMWare ESX Server 4The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel eCryptfs Lower Dentry Null Pointer Dereference Local Denial of Service VulnerabilityVMWare ESX Server 4The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK JPEG Image Writer quantization problemVMWare ESX Server 4The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, related to a "quantization problem," aka Bug Id 6862968.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK Information Leaks in Mutable VariablesVMWare ESX Server 4Multiple unspecified vulnerabilities in the Windows Pluggable Look and Feel (PL&F) feature in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657138.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDJRE JPEG JFIF Decoder VulnerabilityVMWare ESX Server 4Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, aka Bug Id 6862969.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK Zoneinfo File Existence Information LeakVMWare ESX Server 4The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'fuse_direct_io()' Invalid Pointer Dereference Local Denial of Service VulnerabilityVMWare ESX Server 4The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDGNU Libtool 'libltdl' Library Search Path Local Privilege Escalation VulnerabilityVMWare ESX Server 4ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for cpio and tar.VMWare ESX Server 3.5VMWare ESX Server 4Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.VarunDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK Resurrected Classloaders Can Still Have ChildrenVMWare ESX Server 4Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not prevent the existence of children of a resurrected ClassLoader, which allows remote attackers to gain privileges via unspecified vectors, related to an "information leak vulnerability," aka Bug Id 6636650.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'unix_stream_connect()' Local Denial of Service VulnerabilityVMWare ESX Server 4net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for perl.VMWare ESX Server 4Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.VarunDRAFTINTERIMACCEPTEDACCEPTEDExpat Unspecified XML Parsing Remote Denial of Service VulnerabilityVMWare ESX Server 4The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL 'dtls1_retrieve_buffered_fragment()' DTLS Packet Denial of Service VulnerabilityVMWare ESX Server 4Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK ASN.1/DER Input Stream Parser Denial of Service via Crafted DER Encoded DataVMWare ESX Server 4Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted DER encoded data, which is not properly decoded by the ASN.1 DER input stream parser, aka Bug Id 6864911.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDJava Web Start Improper Handling of Signed JAR FilesVMWare ESX Server 4The Java Web Start implementation in Sun Java SE 6 before Update 17 does not properly handle the interaction between a signed JAR file and a JNLP (1) application or (2) applet, which has unspecified impact and attack vectors, related to a "regression," aka Bug Id 6870531.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSun Java Privilege Escalation via Crafted Image File Due Improper Color Profiles ParsingVMWare ESX Server 4Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 does not properly parse color profiles, which allows remote attackers to gain privileges via a crafted image file, aka Bug Id 6862970.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel r128 Driver CCE Initialization NULL Pointer Dereference Denial of Service VulnerabilityVMWare ESX Server 4The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 2.4 and 2.6 Multiple Local Information Disclosure VulnerabilitiesVMWare ESX Server 4The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for cURL.VMWare ESX Server 4content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.VarunDRAFTINTERIMACCEPTEDACCEPTEDSun Java Updates Availability Notification System FailureVMWare ESX Server 4The Java Update functionality in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22 and JDK and JRE 6 before Update 17, when a non-English version of Windows is used, does not retrieve available new JRE versions, which allows remote attackers to leverage vulnerabilities in older releases of this software, aka Bug Id 6869694.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDhfs Subsystem Stack-based Buffer Overflow VulnerabilityVMWare ESX Server 4Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSun Java Stack-based Buffer Overflow via a Long File: URL ArgumentVMWare ESX Server 4Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a long file: URL in an argument, aka Bug Id 6854303.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel 'qla2xxx' DriverSecurity Bypass VulnerabilityVMWare ESX Server 4A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Virtual Machine Lets Remote Users Read/Write Files and Execute Local ApplicationsVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for OpenSSL, GnuTLS, NSS and NSPR.VMWare ESX Server 4The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.VarunDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK JRE AWT setBytePixels Heap Overflow VulnerabilityVMWare ESX Server 4Heap-based buffer overflow in the setBytePixels function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via crafted arguments, aka Bug Id 6872358.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL DTLS Packets Multiple Denial of Service VulnerabilitiesVMWare ESX Server 4The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for NSS_db.VMWare ESX Server 4The Free Software Foundation (FSF) Berkeley DB NSS module (aka libnss-db) 2.2.3pre1 reads the DB_CONFIG file in the current working directory, which allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses this module.VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for perl.VMWare ESX Server 4Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5302 due to affected versions.VarunDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL 'zlib' Compression Memory Leak Remote Denial of Service VulnerabilityVMWare ESX Server 4Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment LDAP Implementation Bugs Lets Remote Users Deny Service and Execute Arbitrary CodeVMWare ESX Server 3.5VMWare ESX Server 4LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang).Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDInteger and Buffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) "unpack200" JAR Unpacking Utility May Lead to Escalation of PrivilegesVMWare ESX Server 3.5VMWare ESX Server 4Buffer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDOpenJDK ICC_Profile File Existence Detection Information LeakVMWare ESX Server 4Directory traversal vulnerability in the ICC_Profile.getInstance method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local International Color Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka Bug Id 6631533.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment Buffer Overflows in unpack200 Utility Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3.5VMWare ESX Server 4Integer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in weak securityVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 allows user-assisted remote attackers to cause a trusted applet to run in an older JRE version, which can be used to exploit vulnerabilities in that older version, aka CR 6706490.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Service Console update for OpenSSL, GnuTLS, NSS and NSPR.VMWare ESX Server 4OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.0 is installedVMware ESX Server 4The operating system installed on the system is VMware ESX Server 4.0.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'nfs4_proc_lock()' Local Denial of Service VulnerabilityVMWare ESX Server 4The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSun Java Privilege Escalation in the Java Web Start InstallerVMWare ESX Server 4The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 does not properly use security model permissions when removing installer extensions, which allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application, aka Bug Id 6872824.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDNetwork Security Services Library Supports Certificates With Weak MD2 Hash SignaturesVMWare ESX Server 4The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.J. Daniel BrownDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in crossdomain.xml information disclosureVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment and Java Development Kit Multiple Security VulnerabilitiesVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the LDAP implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier allows remote LDAP servers to execute arbitrary code via unknown vectors related to serialized data.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in signed applet unauthorized accessVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier, and 5.0 Update 17 and earlier, allows remote attackers to trick a user into trusting a signed applet via unknown vectors that misrepresent the security warning dialog, related to a "Swing JLabel HTML parsing vulnerability," aka CR 6782871.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in Javascript code unauthorized accessVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; and 1.4.2_19 and earlier does not prevent Javascript that is loaded from the localhost from connecting to other ports on the system, which allows user-assisted attackers to bypass intended access restrictions via LiveConnect, aka CR 6724331. NOTE: this vulnerability can be leveraged with separate cross-site scripting (XSS) vulnerabilities for remote attack vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Plug-in Bugs Lets Remote Users Gain PrivilegesVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "deserializing applets," aka CR 6646860.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSudo Supplemental Group Privilege Error Lets Certain Local Users Gain Elevated PrivilegesVMWare ESX Server 4parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDKerberos GSS-API SPNEGO Null Pointer Dereference and Invalid Memory Access Bugs Let Remote Denial of ServiceVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) HTTP Server Bug Lets Remote Users Deny ServiceVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak."Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos SPNEGO and ASN.1 Multiple Remote Denial Of Service VulnerabilitiesVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Buffer Overflow in Processing Image Files and Fonts Lets Remote Users Gain Privileges on the Target SystemVMWare ESX Server 3.5VMWare ESX Server 4Multiple buffer overflows in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allow remote attackers to access files or execute arbitrary code via (1) a crafted PNG image that triggers an integer overflow during memory allocation for display on the splash screen, aka CR 6804996; and (2) a crafted GIF image from which unspecified values are used in calculation of offsets, leading to object-pointer corruption, aka CR 6804997.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Flaws in Storing and Processing Temporary Font Files Let Remote Users Deny ServiceVMWare ESX Server 3.5VMWare ESX Server 4Multiple unspecified vulnerabilities in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allow remote attackers to cause a denial of service (disk consumption) via vectors related to temporary font files and (1) "limits on Font creation," aka CR 6522586, and (2) another unspecified vector, aka CR 6632886.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDcURL/libcURL HTTP 'Location:' Redirect Security Bypass VulnerabilityVMWare ESX Server 4The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDBuffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) with Processing Image Files and Fonts may Allow Privileges to be EscalatedVMWare ESX Server 3.5VMWare ESX Server 4Buffer overflow in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files or execute arbitrary code via a crafted GIF image, aka CR 6804998.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDudev Netlink Message Validation Local Privilege Escalation VulnerabilityVMWare ESX Server 4udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware vCenter, ESX patch and vCenter Lab Manager cross-site scripting issuesVMWare ESX Server 4Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDInteger signedness error in Java SE Development Kit (JDK) and Java Runtime Environment (JRE)VMWare ESX Server 3.5VMWare ESX Server 4Integer signedness error in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via crafted glyph descriptions in a Type1 font, which bypasses a signed comparison and triggers a buffer overflow.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDKerberos ASN.1 GeneralizedTime Decoder Bug Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.3 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.3.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 3.5.0 is installedVMware ESX Server 3.5The operating system installed on the system is VMware ESX Server 3.5.0.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.2 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.2.Yuzheng ZhouDRAFTINTERIMACCEPTEDDavid RothenbergINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.0 is installedVMware ESX Server 4The operating system installed on the system is VMware ESX Server 4.0.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDESX400-201209401-SGESX410-201208101-SGESX400-201002406-SGESX400-200911232-SGESX303-200910401-BGESX350-200910401-SGESX400-200909401-BGESX400-200912403-SGESX400-200911233-SGESX400-200911238-SGESX400-201002404-SGESX400-201002407-SGESX400-200911237-SGESX303-201002205-SGESX350-201002404-SGESX350-201002407-SGESX303-201002204-SGESX400-200911234-SGESX400-200911201-UGESX350-201002402-SGESX303-201002206-SGESX400-200911235-SGESX400-201003403-SGESX400-201005405-SGESX400-201009410-SGESX350-201008412-SGESX400-201009408-SGESX400-201005409-SGESX350-201008411-SGESX400-201009403-SGESX400-201003405-SGESX400-201005408-SGESX400-201005406-SGESX400-201005404-SGESX400-201002401-BGESX350-200912401-BGESX303-201002203-UGESX400-201005407-SGESX350-201008405-SGESX400-201009402-SGESX350-201008407-SGESX400-201009406-SGESX400-201005403-SGESX400-201009409-SGESX400-201009407-SGESX400-201009411-SGESX400-201009401-SGESX400-201005402-SGESX400-201005401-SGESX400-200906411-SGESX400-200906407-SGESX400-200906407-SGESX400-200906411-SGESX400-200906407-SGESX400-200906411-SGESX400-200911223-UGESX350-200910403-SGESX400-200911223-UGESX400-200906405-SGESX303-200908403-SGESX350-200906407-SG4.0.03.0.33.5.03.0.24.0.0