-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0001
Synopsis:          ESX Service Console updates for nss and nspr
Issue date:        2010-01-06
Updated on:        2010-01-06 (initial release of advisory)
CVE numbers:       CVE-2009-2409 CVE-2009-2408 CVE-2009-2404
                   CVE-2009-1563 CVE-2009-3274 CVE-2009-3370
                   CVE-2009-3372 CVE-2009-3373 CVE-2009-3374
                   CVE-2009-3375 CVE-2009-3376 CVE-2009-3380
                   CVE-2009-3382
- -----------------------------------------------------------------------
1. Summary

   Update for Service Console packages nss and nspr

2. Relevant releases

   VMware ESX 4.0 without patch ESX400-200912403-SG

3. Problem Description

 a. Update for Service Console packages nss and nspr

    Service console packages for Network Security Services (NSS) and
    NetScape Portable Runtime (NSPR) are updated to versions
    nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This
    patch fixes several security issues in the service console
    packages for NSS and NSPR.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404,
    CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372,
    CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376,
    CVE-2009-3380, and CVE-2009-3382 to these issues.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-200912403-SG
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            3.0.2     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 4.0
   -------
   ESX400-200912403-SG

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip
   md5sum: 78c6cf139b7941dc736c9d3a41deae77
   sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59
   http://kb.vmware.com/kb/1016293

   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle=ESX400-200912001.zip -b ESX400-200912403-SG
   update

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1563
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3274
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3370
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3372
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3373
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3374
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3375
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3376
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3380
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3382

- ------------------------------------------------------------------------
6. Change log

2010-01-06  VMSA-2010-0001
Initial security advisory after release of patch ESX400-200912403-SG
for ESX 4.0 on 2010-01-06.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFLRYwLS2KysvBH1xkRArmBAJoDcO5waCyCE+lfmEwuILVjcqeLngCcCzNo
HgNlBjOx5iQw7etlwwpbyuo=
=bIJJ
-----END PGP SIGNATURE-----