<< Previous Next >>
patch
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00727143
Version: 8
HPSBMA02133 SSRT061201 rev.8 - HP Oracle for OpenView (OfO) Critical Patch Update
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2006-07-19
Last Updated: 2008-04-16
VMware vShield Manager 4.1 Update 1
VMware vShield Manager 1.0 Update 1
VMware Update Manager 5.0
ESXi 5.0 without patches ESXi500-201203101-SG, ESXi500-201112402-BG
ESXi 4.1 without patch ESXi410-201110202-UG
ESXi 4.0 without patch ESXi400-201110402-BG
ESX 4.1 without patch ESX410-201110201-SG
ESX 4.0 without patch ESX400-201110401-SG
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0005
Synopsis: VMware Hosted products, VI Client and patches for ESX
and ESXi resolve multiple security issues
Issue date: 2009-04-03
Updated on: 2009-04-03 (initial release of advisory)
CVE numbers: CVE-2008-4916 CVE-2008-3761 CVE-2009-1146
CVE-2009-1147 CVE-2009-0909 CVE-2009-0910
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00727143
Version: 7
HPSBMA02133 SSRT061201 rev.7 - HP Oracle for OpenView (OfO) Critical Patch Update
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2006-07-19
Last Updated: 2008-01-16
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...
So... with all this commentary, in the end, I still didn't read from the
"big'uns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?
How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
CVSS 2.0 Base Metrics
RESOLUTION
HP has made the following software patches available to resolve the vulnerability.
The patches can be downloaded from http://support.openview.hp.com/selfsolve/patches
Note: The patches require manal actions. Please refer to the patch documentation for installation instructions.
HP Enterprise Discovery Version 2.0 Patch Number HPED_00159
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01460710
Version: 1
HPSBST02336 SSRT080071 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-026 to MS08-029
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-05-19
Last Updated: 2008-05-19
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00727143
Version: 6
HPSBMA02133 SSRT061201 rev.6 - HP Oracle for OpenView (OfO) Critical Patch Update
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2006-07-19
Last Updated: 2007-10-24
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01606691
Version: 1
HPSBST02386 SSRT080164 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-067 to MS08-069
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-11-17
Last Updated: 2008-11-17
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01560892
Version: 1
HPSBST02372 SSRT080133 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-052 to MS08-055
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-24
Last Updated: 2008-09-24
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
addressed by this update.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows affected, patch pending
hosted * any any for patch info see VMSA-2008-0005
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01503743
Version: 1
HPSBST02350 SSRT080102 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-037 to MS08-040
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-14
Last Updated: 2008-07-14
CVE-2008-0709 (AV:L/AC:L/Au:S/C:P/I:P/A:N) 3.2
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software patches to resolve the vulnerability.
The patches are available for download from http://support.openview.hp.com/selfsolve/patches
Note: To locate the patches on http://support.openview.hp.com/selfsolve/patches
1. set Product="select identity"
2. set Product version="All Versions"
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01172326
Version: 1
HPSBST02260 SSRT071471 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-051 to MS07-054
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-09-17
Last Updated: 2007-09-17
VMware ESXi and ESX updates to third party libraries and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.0 without patch ESXi400-201110401-SG.
ESX 4.0 without patches ESX400-201110401-SG, ESX400-201110403-SG,
ESX400-201110409-SG
3. Problem Description
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0014
Synopsis: VMware ESX patches for DHCP, Service Console kernel,
and JRE resolve multiple security issues
Issue date: 2009-10-16
Updated on: 2009-10-16 (initial release of advisory)
CVE numbers: CVE-2009-0692 CVE-2009-1893 CVE-2009-0692
CVE-2008-4210 CVE-2008-3275 CVE-2008-5356
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0015
Synopsis: VMware hosted products and ESX patches resolve two
security issues
Issue date: 2009-10-27
Updated on: 2009-10-27 (initial release of advisory)
CVE numbers: CVE-2009-2267 CVE-2009-3733
- ------------------------------------------------------------------------
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
It's only "default" for people running XP standalone/consumer that are
not even in a home network settings.
That kinda slices and dices that default down to a VERY narrow sub sub
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0007
Synopsis: VMware Hosted products and ESX and ESXi patches
resolve security issues
Issue date: 2009-05-28
Updated on: 2009-05-28 (initial release of advisory)
CVE numbers: CVE-2009-1805 CVE-2009-0040 CVE-2008-1382
- ------------------------------------------------------------------------
The Hewlett-Packard Company thanks Oren Isacson of Core Security Technologies for reporting these vulnerabilities to security-alert@hp.com.
RESOLUTION
HP has made archive files available to resolve the vulnerabilities. The archive files are listed in the tables below. The tables also list required patches. The patches will insure that NNM is compatible with the software files in the archive.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0018
Synopsis: VMware Hosted products and patches for ESX and ESXi
resolve two security issues
Issue date: 2008-11-06
Updated on: 2008-11-06 (initial release of advisory)
CVE numbers: CVE-2008-4915 CVE-2008-4281
- ------------------------------------------------------------------------
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01399555
Version: 1
HPSBST02320 SSRT080028 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-014 to MS08-017
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-03-17
Last Updated: 2008-03-17
vCenter Server 4.1 without Update 2
vCenter Update Manager 4.1 without Update 2
ESXi 4.1 without patch ESX410-201110201-SG.
ESX 4.1 without patches ESX410-201110201-SG,
ESX410-201110204-SG, ESX410-201110206-SG,ESX410-201110214-SG.
3. Problem Description
bulletin)
Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
>
> 1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
>
> 2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
>
> t
>
Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
t
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks Oren Isacson of Core Security Technologies for reporting these vulnerabilities to security-alert@hp.com.
RESOLUTION
HP has made archive files available to resolve the vulnerabilities. The archive files are listed in the tables below. The tables also list required patches. The patches will insure that NNM is compatible with the software files in the archive.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
~ Security updates to aacraid driver, samba and python
2. Relevant releases:
ESX Server 3.0.2 without patches ESX-1003362, ESX-1003359, ESX-1003360
ESX Server 3.0.1 without patches ESX-1003350, ESX-1003347, ESX-1003348
ESX Server 2.5.5 Upgrade Patch 4
ESX Server 2.5.4 Upgrade Patch 15
NOTE: ESX 2.5.4 is in Extended Support and its end of support (Security
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0018
Synopsis: VMware hosted products and ESX patches resolve
multiple security issues
Issue date: 2010-12-02
Updated on: 2010-12-02 (initial release of advisory)
CVE numbers: CVE-2010-4295 CVE-2010-4296 CVE-2010-4297
CVE-2010-4294
<<Previous Next>>
|
