The OVAL Repository5.102012-01-27T05:11:26.231-05:00VMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware libxml2 stack consumption vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python PyString_FromStringAndSize function vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python zlib extension module vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python integer overflows vulnerability in the imageop moduleVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware improper setting of the exception code on page faults vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware net-snmp divide-by-zero vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple buffer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerability in the imageop moduleVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python PyLocale_strxfrm function vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware directory traversal vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware libxml2 use-after-free vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerability in the PyOS_vsnprintf functionVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for perl.VMWare ESX Server 3.5VMWare ESX Server 4The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods."VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for perl.VMWare ESX Server 3.5VMWare ESX Server 4The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for krb5.VMWare ESX Server 3.5VMWare ESX Server 4The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for samba.VMWare ESX Server 3.5Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.VarunDRAFTINTERIMACCEPTEDACCEPTEDWebAccess Context Data Cross-site Scripting VulnerabilityVMWare ESX Server 3.5Cross-site scripting (XSS) vulnerability in WebAccess in VMware VirtualCenter 2.0.2 and 2.5 and VMware ESX 3.0.3 and 3.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "context data."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDWindows-based VMware Tools Unsafe Library Loading vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for cpio and tar.VMWare ESX Server 3.5VMWare ESX Server 4Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.VarunDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.0 is installedVMware ESX Server 4The operating system installed on the system is VMware ESX Server 4.0.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDWebAccess Virtual Machine Name Cross-site Scripting VulnerabilityVMWare ESX Server 3.5Cross-site scripting (XSS) vulnerability in WebAccess in VMware VirtualCenter 2.0.2 and 2.5 and VMware ESX 3.0.3 and 3.5, and the Server Console in VMware Server 1.0, allows remote attackers to inject arbitrary web script or HTML via the name of a virtual machine.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX,Service Console update for cpio.VMWare ESX Server 3.5Buffer overflow in cpio 2.6-8.FC4 on 64-bit platforms, when creating a cpio archive, allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a file whose size is represented by more than 8 digits.VarunDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Virtual Machine Lets Remote Users Read/Write Files and Execute Local ApplicationsVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment LDAP Implementation Bugs Lets Remote Users Deny Service and Execute Arbitrary CodeVMWare ESX Server 3.5VMWare ESX Server 4LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang).Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDInteger and Buffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) "unpack200" JAR Unpacking Utility May Lead to Escalation of PrivilegesVMWare ESX Server 3.5VMWare ESX Server 4Buffer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment Buffer Overflows in unpack200 Utility Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3.5VMWare ESX Server 4Integer overflow in unpack200 in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in weak securityVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 allows user-assisted remote attackers to cause a trusted applet to run in an older JRE version, which can be used to exploit vulnerabilities in that older version, aka CR 6706490.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel TTY Operations NULL Pointer Dereference Denial of Service VulnerabilitiesVMWare ESX Server 3.5The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment zip File Processing Bug Lets Remote Users Read Memory LocationsVMWare ESX Server 3.5Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Multiple Code Execution and Security Bypass VulnerabilitiesVMWare ESX Server 3.5Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to gain privileges to access local files or applications via unknown vectors, aka 6727081.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in crossdomain.xml information disclosureVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment and Java Development Kit Multiple Security VulnerabilitiesVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the LDAP implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier allows remote LDAP servers to execute arbitrary code via unknown vectors related to serialized data.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment temporary files weak securityVMWare ESX Server 3.5Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier creates temporary files with predictable file names, which allows attackers to write malicious JAR files via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in signed applet unauthorized accessVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier, and 5.0 Update 17 and earlier, allows remote attackers to trick a user into trusting a signed applet via unknown vectors that misrepresent the security warning dialog, related to a "Swing JLabel HTML parsing vulnerability," aka CR 6782871.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Plug-in Javascript code unauthorized accessVMWare ESX Server 3.5VMWare ESX Server 4The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; and 1.4.2_19 and earlier does not prevent Javascript that is loaded from the localhost from connecting to other ports on the system, which allows user-assisted attackers to bypass intended access restrictions via LiveConnect, aka CR 6724331. NOTE: this vulnerability can be leveraged with separate cross-site scripting (XSS) vulnerabilities for remote attack vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel UBIFS Orphan Inode Local Denial of Service VulnerabilityVMWare ESX Server 3.5The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ("overflow" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment and Java Development Kit Multiple Security VulnerabilitiesVMWare ESX Server 3.5Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier, when using Kerberos authentication, allows remote attackers to cause a denial of service (OS resource consumption) via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Plug-in Bugs Lets Remote Users Gain PrivilegesVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "deserializing applets," aka CR 6646860.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment JAR Main-Class manifest entry buffer overflowVMWare ESX Server 3.5Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows locally-launched and possibly remote untrusted Java applications to execute arbitrary code via a JAR file with a long Main-Class manifest entry.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Buffer Overflow in Processing Image Files and Fonts Lets Remote Users Gain Privileges on the Target SystemVMWare ESX Server 3.5Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors, aka CR 6727071.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel ISDN_Net.C Local Buffer Overflow VulnerabilityVMWare ESX Server 3.5Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment 'Calendar.readObject' Bug Lets Remote Applets Gain Elevated PrivilegesVMWare ESX Server 3.5The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment TrueType font integer overflowVMWare ESX Server 3.5Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel Memory Leak in SIT Code ipip6_rcv() Lets Remote Users Deny ServiceVMWare ESX Server 3.5Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLibxml2 Recursive Entity Evaluation Bug Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment TrueType font buffer overflowVMWare ESX Server 3.5Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDBzip2 Bug Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVim HelpTags Command Remote Format String VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDLibpng Library Uninitialized Pointer Arrays Memory Corruption VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDKerberos GSS-API SPNEGO Null Pointer Dereference and Invalid Memory Access Bugs Let Remote Denial of ServiceVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDRed Hat dhcpd init Script Symlink Flaw Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Guest Virtual Device Driver Bug Lets Local Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware authd Service Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDHarmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass VulnerabilitiesVMWare ESX Server 3VMWare ESX Server 3.5Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Administrative Directory Traversal Bug May Allow Administrators to Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5Directory traversal vulnerability in VMWare ESXi 3.5 before ESXe350-200810401-O-UG and ESX 3.5 before ESX350-200810201-UG allows administrators with the Datastore.FileManagement privilege to gain privileges via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Lets Remote Users View Directory ContentsVMWare ESX Server 3.5Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applications and applets to list the contents of the operating user's directory via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLibxml2 Integer Overflow in xmlBufferResize() Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDNet-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass AuthenticationVMWare ESX Server 3VMWare ESX Server 3.5SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) HTTP Server Bug Lets Remote Users Deny ServiceVMWare ESX Server 3.5VMWare ESX Server 4Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak."Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDMultiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege EscalationVMWare ESX Server 3.5Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to perform network connections to unauthorized hosts via unknown vectors, aka CR 6727079.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Host Guest File System Bug Lets Local Users Enable Certain Shared FoldersVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in the ACE shared folders implementation in the VMware Host Guest File System (HGFS) shared folders feature in VMware ACE 2.5.1 and earlier allows attackers to enable a disabled shared folder.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel 'truncate()' Local Privilege Escalation VulnerabilityVMWare ESX Server 3.5fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Buffer Overflow in unpack200 Utility Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3.5Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflow.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL DSA and ECDSA "EVP_VerifyFinal()" Spoofing VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDVMware Virtual Infrastructure Client Password Disclosure WeaknessVMWare ESX Server 3VMWare ESX Server 3.5VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 before Update 4, and VMware ESX 3.5 before Update 4 retains the VirtualCenter Server password in process memory, which might allow local users to obtain this password.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLibxml2 Integer Overflow in xmlSAX2Characters() May Let Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDUnspecified vunerability in the BasicService for Java Web Start (JWS) and Java Plug-inVMWare ESX Server 3.5Unspecified vulnerability in the BasicService for Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors, aka 6767668.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos SPNEGO and ASN.1 Multiple Remote Denial Of Service VulnerabilitiesVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment GIF images code executionVMWare ESX Server 3.5Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Bug in 'hcmon.sys' Lets Local Privileged Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware CPU Hardware Emulation Bug Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5The CPU hardware emulation in VMware Workstation 6.0.5 and earlier and 5.5.8 and earlier; Player 2.0.x through 2.0.5 and 1.0.x through 1.0.8; ACE 2.0.x through 2.0.5 and earlier, and 1.0.x through 1.0.7; Server 1.0.x through 1.0.7; ESX 2.5.4 through 3.5; and ESXi 3.5, when running 32-bit and 64-bit guest operating systems, does not properly handle the Trap flag, which allows authenticated guest OS users to gain privileges on the guest OS.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Buffer Overflow in Processing Image Files and Fonts Lets Remote Users Gain Privileges on the Target SystemVMWare ESX Server 3.5VMWare ESX Server 4Multiple buffer overflows in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allow remote attackers to access files or execute arbitrary code via (1) a crafted PNG image that triggers an integer overflow during memory allocation for display on the splash screen, aka CR 6804996; and (2) a crafted GIF image from which unspecified values are used in calculation of offsets, leading to object-pointer corruption, aka CR 6804997.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDmimeTeX and mathTeX Buffer Overflow and Command Injection IssuesVMWare ESX Server 3VMWare ESX Server 3.5libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Heap Overflows in VNnc Codec Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CAN-435.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Web Start and Java Plug-in applet class security bypassVMWare ESX Server 3.5Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets to read arbitrary files and make unauthorized network connections via unknown vectors related to applet classloading, aka 6716217.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Virtual Hardware Memory Access Bug Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in VMware Workstation 5.5.8 and earlier, and 6.0.5 and earlier 6.x versions; VMware Player 1.0.8 and earlier, and 2.0.5 and earlier 2.x versions; VMware Server 1.0.9 and earlier; VMware ESXi 3.5; and VMware ESX 3.0.2 through 3.5 allows guest OS users to have an unknown impact by sending the virtual hardware a request that triggers an arbitrary physical-memory write operation, leading to memory corruption.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVim Flaw in Quoting Vim Script Lets Remote Users Cause Arbitrary Commands to Be Executed in Certain CasesVMWare ESX Server 3VMWare ESX Server 3.5Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDJava Runtime Environment (JRE) Flaws in Storing and Processing Temporary Font Files Let Remote Users Deny ServiceVMWare ESX Server 3.5VMWare ESX Server 4Multiple unspecified vulnerabilities in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allow remote attackers to cause a denial of service (disk consumption) via vectors related to temporary font files and (1) "limits on Font creation," aka CR 6522586, and (2) another unspecified vector, aka CR 6632886.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Runtime Environment UTF-8 Decoding Bug May Let Users Bypass Access RestrictionsVMWare ESX Server 3.5Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel copy_user() IA32 Emulation Bug Discloses Information to Local UsersVMWare ESX Server 3.5Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDNet-snmp GETBULK Request Processing Bug Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Descheduled Time Accounting Driver Bug Lets Local Users on the Guest Operating System Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in the VMware Descheduled Time Accounting driver in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745, VMware Fusion 2.x before 2.0.2 build 147997, VMware ESXi 3.5, and VMware ESX 3.0.2, 3.0.3, and 3.5, when the Descheduled Time Accounting Service is not running, allows guest OS users on Windows to cause a denial of service via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLibxml2 Heap Overflow in xmlParseAttValueComplex() Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Multiple Hosted Products Display Function Code Execution VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment (JRE) Lets Remote Users Access 'localhost'VMWare ESX Server 3.5Unspecified vulnerability in Java Runtime Environment (JRE) with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier allows code that is loaded from a local filesystem to read arbitrary files and make unauthorized connections to localhost via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) with Processing Image Files and Fonts may Allow Privileges to be EscalatedVMWare ESX Server 3.5VMWare ESX Server 4Buffer overflow in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers to access files or execute arbitrary code via a crafted GIF image, aka CR 6804998.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVim 'mch_expand_wildcards()' Heap Based Buffer Overflow VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDDHCP dhclient Stack Overflow in script_write_params() Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Web Start and Java Plug-in JAR File Privilege Escalation VulnerabilityVMWare ESX Server 3.5Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows remote attackers to make unauthorized network connections and hijack HTTP sessions via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR" and CR 6707535.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server VMDK Delta Disk Processing Lets Local Administrative Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in VMware ESXi 3.5 before ESXe350-200901401-I-SG and ESX 3.5 before ESX350-200901401-SG allows local administrators to cause a denial of service (host crash) via a snapshot with a malformed VMDK delta disk.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment RSA Public Key Processing Bug Lets Remote Users Deny ServiceVMWare ESX Server 3.5Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment image processing code buffer overflowVMWare ESX Server 3.5Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code, related to a ConvolveOp operation in the Java AWT library.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVim Insufficient Shell Escaping Multiple Command Execution VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDVMWare Guest Virtual Device Driver VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CAN-436.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDInteger signedness error in Java SE Development Kit (JDK) and Java Runtime Environment (JRE)VMWare ESX Server 3.5VMWare ESX Server 4Integer signedness error in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12 and earlier, allows remote attackers to access files or execute arbitrary code via crafted glyph descriptions in a Type1 font, which bypasses a signed comparison and triggers a buffer overflow.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel SBNI WAN Driver Privilege Check Bugs May Let Local Users Gain Elevated PrivilegesVMWare ESX Server 3.5The sbni_ioctl function in drivers/net/wan/sbni.c in the wan subsystem in the Linux kernel 2.6.26.3 does not check for the CAP_NET_ADMIN capability before processing a (1) SIOCDEVRESINSTATS, (2) SIOCDEVSHWSTATE, (3) SIOCDEVENSLAVE, or (4) SIOCDEVEMANSIPATE ioctl request, which allows local users to bypass intended capability restrictions.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment Java Update Fails to Validate Digital SignaturesVMWare ESX Server 3.5The "Java Update" feature for Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSun Java Runtime Environment JAX-WS and JAXB Lets Remote Applets Gain Elevated PrivilegesVMWare ESX Server 3.5Multiple unspecified vulnerabilities in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier allow untrusted applets and applications to gain privileges via vectors related to access to inner classes in the (1) JAX-WS and (2) JAXB packages.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDJava Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network ConnectionsVMWare ESX Server 3.5Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allow remote attackers to execute arbitrary code via a crafted jnlp file that modifies the (1) java.home, (2) java.ext.dirs, or (3) user.home System Properties, aka "Java Web Start File Inclusion" and CR 6694892.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDAvaya Solaris BIND "EVP_VerifyFinal()" Signature Spoofing VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDLibTIFF Buffer Underflow in Decoding LZW Data Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDKerberos ASN.1 GeneralizedTime Decoder Bug Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.0 is installedVMware ESX Server 4The operating system installed on the system is VMware ESX Server 4.0.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Windows 'vmci.sys' Driver Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.3 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.3.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.2 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.2.Yuzheng ZhouDRAFTINTERIMACCEPTEDDavid RothenbergINTERIMACCEPTEDACCEPTEDESX third party update for Service Console kernelVMWare ESX Server 3.5The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDESX third party update for Service Console kernelVMWare ESX Server 3.5drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDESX third party update for Service Console kernelVMWare ESX Server 3.5Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDVMware vmkernel third party e1000 Driver Packet Filter BypassVMWare ESX Server 3.5drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDService Console update for COS kernelVMWare ESX Server 3.5The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.Chandan M CDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 3.5.0 is installedVMware ESX Server 3.5The operating system installed on the system is VMware ESX Server 3.5.0.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDESX303-200910401-BGESX350-200910401-SGESX400-200909401-BGESX303-201002202-SGESX350-201002401-SGESX303-200812406-BGESX350-201002407-SGESX303-201002204-SGESX400-200911234-SGESX350-201002402-SGESX303-201002206-SGESX400-200911235-SGESX350-201008412-SGESX400-201009411-SGESX350-201008411-SGESX400-201009403-SGESX350-201008410-SGESX350-201003403-SGESX400-201002401-BGESX350-200912401-BGESX303-201002203-UGESX400-201009402-SGESX350-201008407-SGESX400-201009406-SGESX350-200903223-UGESX350-201008405-SGESX350-200810201-UGESX303-200810501-BGESX-1006680ESX350-200811401-SGESX350-200811406-SGESX303-200811404-SGESX-1006982ESX-1006980ESX303-200811401-BGESX303-200905401-SGESX350-200904401-BGESX-1008420ESX350-200904201-SGESX303-200904403-SGESX350-200910406-SGESX303-200910402-SGESX303-200901406-SGESX-1007673ESX350-200901401-SGESX303-200901405-SGESX350-200901409-SGESX350-200901410-SGESX-1007674ESX350-200910403-SGESX400-200911223-UGESX350-200910401-SGESX350-200910403-SGESX-1008409ESX350-200904408-SGESX303-200903405-SGESX-1008408ESX350-200904407-SGESX303-200903403-SGESX-1008406ESX303-200903406-SGESX350-200904406-SGESX303-200810503-SGESX-1006968ESX350-200811405-SGESX400-200906405-SGESX303-200908403-SGESX350-200906407-SGESX350-200811401-SGESX303-200811401-BGESX-1006980ESX350-201105404-SGESX350-201006401-SG4.0.04.0.03.0.33.0.23.5.0