Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 290702 (CVE-2007-6063)

Summary: <app-emulation/vmware-server-2.0.2.203138 JDK issues (CVE-2007-6063,CVE-2008-{0598,2086,2136,2812,3275,3525,4210,5339,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360},CVE-2009-{0692,1093,1094,109...
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gengor, vadimk, vmware+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.vmware.com/security/advisories/VMSA-2009-0014.html
Whiteboard: B1? [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-10-27 09:48:22 UTC 
Only the "JRE Security Update" (section c) should be relevant, but I'm currently not sure how exactly this makes a vmware server vulnerable.

Server         2.0       any      affected, patch pending
Server         1.0       any      not affected

"Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network."
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-27 09:50:52 UTC 
Rating B1 for now, but I'm not sure which level of access might be possible; please adjust if you have further information.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-10-27 19:55:01 UTC 
(In reply to comment #0)
> Only the "JRE Security Update" (section c) should be relevant, but I'm
> currently not sure how exactly this makes a vmware server vulnerable.
> 
> Server         2.0       any      affected, patch pending
> Server         1.0       any      not affected
> 
> "Notes: These vulnerabilities can be exploited remotely only if the attacker
> has access to the Service Console network."
> 

VMSA-2009-0015 released, new versions and some more CVE's:
CVE-2009-2267
CVE-2009-3733 

Server         2.x       any      2.0.2 build 203138 or later
Server         1.x       any      1.0.10 build 203137 or later
Comment 3 Vadim Kuznetsov (RETIRED) gentoo-dev 2009-10-29 14:58:16 UTC 
vmware-server-2.0.2.203138 is in the tree.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-30 18:30:12 UTC 
Are there any problems with the modules? Is it ready for stabling?
Comment 5 Vadim Kuznetsov (RETIRED) gentoo-dev 2009-10-30 19:43:00 UTC 
(In reply to comment #4)
> Are there any problems with the modules? Is it ready for stabling?
> 
Yes, I think vmware-modules-1.0.0.24-r1.ebuild are ready.

vmware-modules-1.0.0.25 are for vmware-workstation-6.5.3.185404 are ready as well.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-11-04 04:23:03 UTC 
Since Server 1.0 (our stable) is not affected and 2.0 (our unstable) is fixed in unstable, this bug is resolved. Modules and Workstation are up to date via bug 282213.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2011-03-07 00:06:51 UTC 
The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was:

<app-emulation/vmware-server-2.0.2.203138 JDK issues (CVE-2007-6063,CVE-2008-{0598,2086,2136,2812,3275,3525,4210,5339,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360},CVE-2009-{0692,1093,1094,1095,1096,1097,1098,1099,1100,1101,1102,1103,1104,1105,1106,1107,1893})