The OVAL Repository5.102015-09-03T11:13:54.541-04:00VMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware libxml2 stack consumption vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python PyString_FromStringAndSize function vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python zlib extension module vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python integer overflows vulnerability in the imageop moduleVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware improper setting of the exception code on page faults vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware net-snmp divide-by-zero vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware python multiple buffer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerability in the imageop moduleVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python PyLocale_strxfrm function vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware directory traversal vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware libxml2 use-after-free vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerability in the PyOS_vsnprintf functionVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware python multiple integer overflows vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDWindows-based VMware Tools Unsafe Library Loading vulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share.Pai PengDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDLibxml2 Recursive Entity Evaluation Bug Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDBzip2 Bug Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVim HelpTags Command Remote Format String VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDLibpng Library Uninitialized Pointer Arrays Memory Corruption VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDKerberos GSS-API SPNEGO Null Pointer Dereference and Invalid Memory Access Bugs Let Remote Denial of ServiceVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDRed Hat dhcpd init Script Symlink Flaw Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Guest Virtual Device Driver Bug Lets Local Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware authd Service Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDHarmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass VulnerabilitiesVMWare ESX Server 3VMWare ESX Server 3.5Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Administrative Directory Traversal Bug May Allow Administrators to Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5Directory traversal vulnerability in VMWare ESXi 3.5 before ESXe350-200810401-O-UG and ESX 3.5 before ESX350-200810201-UG allows administrators with the Datastore.FileManagement privilege to gain privileges via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDLibxml2 Integer Overflow in xmlBufferResize() Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDNet-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass AuthenticationVMWare ESX Server 3VMWare ESX Server 3.5SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Host Guest File System Bug Lets Local Users Enable Certain Shared FoldersVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in the ACE shared folders implementation in the VMware Host Guest File System (HGFS) shared folders feature in VMware ACE 2.5.1 and earlier allows attackers to enable a disabled shared folder.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL DSA and ECDSA "EVP_VerifyFinal()" Spoofing VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDVMware Virtual Infrastructure Client Password Disclosure WeaknessVMWare ESX Server 3VMWare ESX Server 3.5VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 before Update 4, and VMware ESX 3.5 before Update 4 retains the VirtualCenter Server password in process memory, which might allow local users to obtain this password.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLibxml2 Integer Overflow in xmlSAX2Characters() May Let Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDMIT Kerberos SPNEGO and ASN.1 Multiple Remote Denial Of Service VulnerabilitiesVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware Bug in 'hcmon.sys' Lets Local Privileged Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware CPU Hardware Emulation Bug Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5The CPU hardware emulation in VMware Workstation 6.0.5 and earlier and 5.5.8 and earlier; Player 2.0.x through 2.0.5 and 1.0.x through 1.0.8; ACE 2.0.x through 2.0.5 and earlier, and 1.0.x through 1.0.7; Server 1.0.x through 1.0.7; ESX 2.5.4 through 3.5; and ESXi 3.5, when running 32-bit and 64-bit guest operating systems, does not properly handle the Trap flag, which allows authenticated guest OS users to gain privileges on the guest OS.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDmimeTeX and mathTeX Buffer Overflow and Command Injection IssuesVMWare ESX Server 3VMWare ESX Server 3.5libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware Heap Overflows in VNnc Codec Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CAN-435.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Virtual Hardware Memory Access Bug Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in VMware Workstation 5.5.8 and earlier, and 6.0.5 and earlier 6.x versions; VMware Player 1.0.8 and earlier, and 2.0.5 and earlier 2.x versions; VMware Server 1.0.9 and earlier; VMware ESXi 3.5; and VMware ESX 3.0.2 through 3.5 allows guest OS users to have an unknown impact by sending the virtual hardware a request that triggers an arbitrary physical-memory write operation, leading to memory corruption.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVim Flaw in Quoting Vim Script Lets Remote Users Cause Arbitrary Commands to Be Executed in Certain CasesVMWare ESX Server 3VMWare ESX Server 3.5Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDNet-snmp GETBULK Request Processing Bug Lets Remote Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Descheduled Time Accounting Driver Bug Lets Local Users on the Guest Operating System Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in the VMware Descheduled Time Accounting driver in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745, VMware Fusion 2.x before 2.0.2 build 147997, VMware ESXi 3.5, and VMware ESX 3.0.2, 3.0.3, and 3.5, when the Descheduled Time Accounting Service is not running, allows guest OS users on Windows to cause a denial of service via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDLibxml2 Heap Overflow in xmlParseAttValueComplex() Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Multiple Hosted Products Display Function Code Execution VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVim 'mch_expand_wildcards()' Heap Based Buffer Overflow VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDDHCP dhclient Stack Overflow in script_write_params() Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDESX 2.5.4 through 3.5 allows authenticated guest OS users to gain additional guest OS privilegesVMWare ESX Server 3The CPU hardware emulation for 64-bit guest operating systems in VMware Workstation 6.0.x before 6.0.5 build 109488 and 5.x before 5.5.8 build 108000; Player 2.0.x before 2.0.5 build 109488 and 1.x before 1.0.8; Server 1.x before 1.0.7 build 108231; and ESX 2.5.4 through 3.5 allows authenticated guest OS users to gain additional guest OS privileges by triggering an exception that causes the virtual CPU to perform an indirect jump to a non-canonical address.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware ESX Server VMDK Delta Disk Processing Lets Local Administrative Users Deny ServiceVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in VMware ESXi 3.5 before ESXe350-200901401-I-SG and ESX 3.5 before ESX350-200901401-SG allows local administrators to cause a denial of service (host crash) via a snapshot with a malformed VMDK delta disk.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVim Insufficient Shell Escaping Multiple Command Execution VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDVMWare Guest Virtual Device Driver VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CAN-436.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Openwsman Lets Local Users Gain Root PrivilegesVMWare ESX Server 3VMWare ESX Server 2Buffer overflow in the openwsman management service in VMware ESXi 3.5 and ESX 3.5 allows remote authenticated users to gain privileges via an "invalid Content-Length."Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Tools Input Validation Flaw in Windows Guest OS Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 2HGFS.sys in the VMware Tools package in VMware Workstation 5.x before 5.5.6 build 80404, VMware Player before 1.0.6 build 80404, VMware ACE before 1.0.5 build 79846, VMware Server before 1.0.5 build 80187, and VMware ESX 2.5.4 through 3.0.2 does not properly validate arguments in user-mode METHOD_NEITHER IOCTLs to the \\.\hgfs device, which allows guest OS users to modify arbitrary memory locations in guest kernel memory and gain privileges.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Buffer Overflows in VIX API Let Local Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 2Multiple buffer overflows in VIX API 1.1.x before 1.1.4 build 93057 on VMware Workstation 5.x and 6.x, VMware Player 1.x and 2.x, VMware ACE 2.x, VMware Server 1.x, VMware Fusion 1.x, VMware ESXi 3.5, and VMware ESX 3.0.1 through 3.5 allow guest OS users to execute arbitrary code on the host OS via unspecified vectors.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware ESX Openwsman Lets Local Users Gain Root PrivilegesVMWare ESX Server 3VMWare ESX Server 2Buffer overflow in the openwsman management service in VMware ESXi 3.5 and ESX 3.5 allows remote authenticated users to gain privileges via an "invalid Content-Length."Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Unsafe Library Path in vmware-authd Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 2Untrusted search path vulnerability in vmware-authd in VMware Workstation 5.x before 5.5.7 build 91707 and 6.x before 6.0.4 build 93057, VMware Player 1.x before 1.0.7 build 91707 and 2.x before 2.0.4 build 93057, and VMware Server before 1.0.6 build 91891 on Linux, and VMware ESXi 3.5 and VMware ESX 2.5.4 through 3.5, allows local users to gain privileges via a library path option in a configuration file.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDAvaya Solaris BIND "EVP_VerifyFinal()" Signature Spoofing VulnerabilityVMWare ESX Server 3VMWare ESX Server 3.5BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.Michael WoodDRAFTMichael WoodINTERIMACCEPTEDACCEPTEDVMware ESX Multiple Code Execution and Denial of Service VulnerabilitiesVMWare ESX Server 3Buffer overflow in VMware ESX Server 3.0.0 and 3.0.1 might allow attackers to gain privileges or cause a denial of service (application crash) via unspecified vectors.Michael WoodDRAFTINTERIMACCEPTEDMichael WoodINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDLibTIFF Buffer Underflow in Decoding LZW Data Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDKerberos ASN.1 GeneralizedTime Decoder Bug Lets Remote Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 3.5VMWare ESX Server 4.0The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.0 is installedVMware ESX Server 4.0The operating system installed on the system is VMware ESX Server 4.0.Michael WoodDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMware Windows 'vmci.sys' Driver Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 3.5Unspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.3 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.3.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 3.5.0 is installedVMware ESX Server 3.5The operating system installed on the system is VMware ESX Server 3.5.0.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX server double free vulnerability may let remote users execute arbitrary codeVMWare ESX Server 3Double free vulnerability in VMware ESX Server 3.0.0 and 3.0.1 allows attackers to cause a denial of service (crash), obtain sensitive information, or possibly execute arbitrary code via unspecified vectors.Yuzheng ZhouDRAFTPai PengINTERIMACCEPTEDMichael WoodINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.0 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.0.Yuzheng ZhouDRAFTINTERIMACCEPTEDDavid RothenbergINTERIMACCEPTEDACCEPTEDVMware Tools Input Validation Flaw in Windows Guest OS Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 2HGFS.sys in the VMware Tools package in VMware Workstation 5.x before 5.5.6 build 80404, VMware Player before 1.0.6 build 80404, VMware ACE before 1.0.5 build 79846, VMware Server before 1.0.5 build 80187, and VMware ESX 2.5.4 through 3.0.2 does not properly validate arguments in user-mode METHOD_NEITHER IOCTLs to the \\.\hgfs device, which allows guest OS users to modify arbitrary memory locations in guest kernel memory and gain privileges.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Buffer Overflows in VIX API Let Local Users Execute Arbitrary CodeVMWare ESX Server 3VMWare ESX Server 2Multiple buffer overflows in VIX API 1.1.x before 1.1.4 build 93057 on VMware Workstation 5.x and 6.x, VMware Player 1.x and 2.x, VMware ACE 2.x, VMware Server 1.x, VMware Fusion 1.x, VMware ESXi 3.5, and VMware ESX 3.0.1 through 3.5 allow guest OS users to execute arbitrary code on the host OS via unspecified vectors.Michael WoodDRAFTINTERIMACCEPTEDJ. Daniel BrownINTERIMACCEPTEDACCEPTEDVMware Unsafe Library Path in vmware-authd Lets Local Users Gain Elevated PrivilegesVMWare ESX Server 3VMWare ESX Server 2Untrusted search path vulnerability in vmware-authd in VMware Workstation 5.x before 5.5.7 build 91707 and 6.x before 6.0.4 build 93057, VMware Player 1.x before 1.0.7 build 91707 and 2.x before 2.0.4 build 93057, and VMware Server before 1.0.6 build 91891 on Linux, and VMware ESXi 3.5 and VMware ESX 2.5.4 through 3.5, allows local users to gain privileges via a library path option in a configuration file.Michael WoodDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.2 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.2.Yuzheng ZhouDRAFTINTERIMACCEPTEDDavid RothenbergINTERIMACCEPTEDACCEPTEDVMWare ESX Server 3.0.1 is installedVMWare ESX Server 3The operating system installed on the system is VMWare ESX Server 3.0.1.Yuzheng ZhouDRAFTINTERIMACCEPTEDDavid RothenbergINTERIMACCEPTEDACCEPTEDESX303-200910401-BGESX350-200910401-SGESX400-200909401-BGESX303-201002202-SGESX350-201002401-SGESX303-200812406-BGESX350-201002407-SGESX303-201002204-SGESX400-200911234-SGESX350-201002402-SGESX303-201002206-SGESX400-200911235-SGESX400-201002401-BGESX350-200912401-BGESX303-201002203-UGESX350-200810201-UGESX303-200810501-BGESX-1006680ESX350-200811401-SGESX350-200811406-SGESX303-200811404-SGESX-1006982ESX-1006980ESX303-200811401-BGESX303-200905401-SGESX350-200904401-BGESX-1008420ESX350-200904201-SGESX303-200904403-SGESX350-200910406-SGESX350-200910401-SGESX303-200910402-SG10066782008094011006361ESX303-200901406-SGESX-1007673ESX350-200901401-SGESX303-200901405-SGESX350-200901409-SGESX350-200901410-SGESX-100767410047261004186905211004219100472310047281004721100482110047241004725100421690520100419010047221004719100472710041891004728100472110047271004186100472510041909052010047241004219100421690521100472210047191004726100472310041891004821ESX-1008409ESX350-200904408-SGESX303-200903405-SGESX-1008408ESX350-200904407-SGESX303-200903403-SGESX-1008406ESX303-200903406-SGESX350-200904406-SG7052426773743213173757526688852210187015411618708174018341657149216915011126419794599764003927189617902ESX303-200810503-SGESX-1006968ESX350-200811405-SGESX400-200906405-SGESX303-200908403-SGESX350-200906407-SGESX350-200811401-SGESX303-200811401-BGESX-100698039271841979455752668131737705242649216917737432341657111618709617902187015488522108174018501112699764001004189100419010048211004186100472390520100472610047271004722100472510042191004216100472810047191004721905211004724100472410047251004727100421910042161004723100472190520100482110041861004189100472810041909052110047191004726100472290521100482110041901004728100472110047271004219100472410047261004186100472310047221004216100472590520100471910041892.5.4322332.5.5576192.5.5576192.5.4322334.0.03.0.33.5.03.0.02.5.4322332.5.5576192.5.5576192.5.4322333.0.23.0.12.5.5576192.5.432233