HWiNFO 5.22
Download Accelerator Plus 10.0.4.3
VMware Server 2.0.2
更新細節:
# Security Fixes
* New: Exception handling privilege escalation on Guest Operating System This release addresses a security vulnerability in exception handling. Improper setting of the exception code on page faults might allow for local privilege escalation on the guest. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2267 to this issue.
* New: Directory Traversal Vulnerability on Linux-based hosts This release addresses a directory traversal vulnerability that is present on host systems and that may allow for remote retrieval of any file from the host system. In order to send a malicious request, the attacker will need to have access to the network on which the host resides. The issue is present on Linux-based hosts only, not on Windows-based hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3733 to this issue.
# Miscellaneous
* Disk Stress Test fails with data corruption error
WLK DiskStress test fails with data corruption error on LSI Logic virtual device.
* Server 2.0.1 does not allow vmnet-bridge service to be run in the foreground
The vmnet-bridge service has a parameter -d for putting it in daemon mode. Without using the -d parameter, the vmnet-bridge service should be able to run in the foreground. This was not working. This issue is resolved in this release.
版本下載:VMware Server 2.0.2
VMware Server 2.0.1
更新細節:
Security Fixes
* New: Host code execution vulnerability from a guest operating system
A critical vulnerability in the virtual machine display function might
allow a guest operating system to run code on the host. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2009-1244 to this issue.
* VMnc codec heap overflow vulnerabilities
The VMnc codec assists in record and replay of sessions which are records
of the dynamic virtual machine state over a period of time. Two heap
overflow vulnerabilities might allow a remote attacker to execute
arbitrary code on VMware hosted products. For an attack to be successful,
the user must visit a malicious Web page or open a malicious video file.
The Common Vulnerabilities and Exposures project has assigned the names
CVE-2009-0909 and CVE-2009-0910 to these issues.
* A VMCI privilege escalation on Windows-based hosts or Windows-based guests
The Virtual Machine Communication Interface (VMCI) provides fast and
efficient communication between two or more virtual machines on the same
host and between a virtual machine and the host operating system. A
vulnerability in vmci.sys might allow privilege escalation on
Windows-based machines. This might occur on Windows-based hosts or inside
Windows-based guest operating systems. Current versions of ESX Server do
not support the VMCI interface and hence they are not affected by this
vulnerability. To correct this vulnerability on Windows-based hosts, see
Virtual Machine Communication Interface (VMCI) privilege escalation on
Windows-based Workstation, Player, ACE and Server (KB 1009826).
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2009-1147 to this issue.
* A remote denial-of-service vulnerability in authd for Windows-based hosts
A vulnerability in vmware-authd.exe might cause a denial-of-service
condition on Windows hosts. The Common Vulnerabilities and Exposures
project has assigned the name CVE-2009-0177 to this issue.
* Updated vm-support script
This release improves data collection when the vm-support script is run by
the Server administrator on request of VMware support or its support
partners. The file that contains the SSL keys for communication between
Server and vCenter and other applications is no longer collected. For more
details, see the KB article Data Security Best Practices - SSL keys for
communicating with VirtualCenter and other applications (KB 1008166).
* Windows-based host privilege escalation in hcmon.sys
A vulnerability in an I/O Control (ioctl) function in hcmon.sys might be
used to escalate privileges on a Windows-based host. The Common
Vulnerabilities and Exposures project has assigned the name CVE-2009-1146
to this issue.
New releases of hosted products address a denial-of-service problem
described in CVE-2008-3761, which can only be exploited by a privileged
Windows account.
* Denial-of -service vulnerability in a virtual device
A vulnerability in a guest virtual device driver might allow a guest
operating system to cause the host and consequently any virtual machine on
that host to fail. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2008-4916 to this issue.
Miscellaneous
* Mount installer option mounts current CD-ROM image instead of VMware Tools
installer image
If a CD-ROM image is mounted to a virtual machine with VMware Tools
installed, the Mount installer option in the Web UI incorrectly mounts the
CD-ROM image instead of the VMware Tools image. The issue is resolved in
this release.
* Unable to install the latest version of VIX API on Server 2.0.x
You cannot install VMware VIX API 1.6.2 of due to an issue with the MSI
installer for VIX API. This issue is resolved in this release.
* The default VI Web Access HTTP connection port is 8222 and the default
HTTPS port is 8333. If you use these defaults, or any values other than 80
(HTTP) and 443 (HTTPS), you must specify the port number when you connect to
VMware Server using VI Web Access. You must also allow connection to these
ports through your firewall.
An example URL to connect to VI Web Access is http://server_host:8222
If you want to use ports 80 (HTTP) and 443 (HTTPS), override the default
values during installation.
Note: If you are running IIS or Apache web server on the default ports,
specify alternate HTTP and HTTP ports when prompted by the Windows
installer or vmware-config.pl. Alternatively, stop IIS's default Web site
or any other Web site running on these ports. On Linux, shut down Apache
or any other application using these ports and make sure they are not
configured to restart automatically.
This issue is resolved in this release.
版本下載:VMware Server 2.0.1
VMware Server 2.0.0
更新細節:
The wait for VMware Server 2 is over and it’s better than ever! The next generation VMware Server equips you with a stable, easy-to-use hosted virtualization platform. In beta since November 2007, VMware Server 2 introduces numerous enhancements including new operating system support, 64-bit operating system support, increased virtual machine scalability, new management tools and more.
版本下載:VMware Server 2.0.0
VMware Server 1.0.7
更新細節:
Server 1.0.7 addresses the following security issues:
* Security Fix for VMware ISAPI Extension
Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product.
One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual.
The Common Vulnerabilities and Exposures has assigned the name CVE-2008-3697 to this issue.
* Setting ActiveX killbit
From this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the KB article 240797 from Microsoft and the related references on this topic.
Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of-service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user.
Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.
Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls.
To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.
The Common Vulnerabilities and Exposures has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls.
* Security Fix for Local Privilege Escalation on Host System
This release fixes a privilege escalation vulnerability in host operating systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges.
The Common Vulnerabilities and Exposures has assigned the name CVE-2008-3698 to this issue.
* Update to Freetype
FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to its latest version 2.3.7.
The Common Vulnerabilities and Exposures has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6.
版本下載:VMware Server 1.0.7
VMware Server 1.0.6
更新細節:
Issues Resolved in VMware Server 1.0.6
* Virtual machines fail unexpectedly after a Symantec virus definition update from version 213 to version 220.
bug 252341
* Previous versions of VMware Server allowed using the VIX API from the guest operating system. In VMware Server 1.0.6 this is no longer allowed by default. This feature can be enabled in VMware Server 1.0.6 by setting a new parameter in the configuration (.vmx) file: vix.inGuest.enable="TRUE"
版本下載:VMware Server 1.0.6
VMware Server 1.0.5
更新細節:
Version 1.0.5 a maintenance bug fix release to address security issues. See Resolved Issues for information on what has been fixed.
In addition, Version 1.0.5 improves Remote Console performance and screen refreshing.
版本下載:VMware Server 1.0.5
VMware Server 1.0.4
更新細節:
Issues Resolved in VMware Server 1.0.4
* In previous releases, when a virtual machine configuration (.vmx) file contained the line serialX.HardwareFlowControl = TRUE, the modem control signals were not correctly handled. This release fixes that problem. Modem control signals are now strictly passed through between the virtual and the physical serial port.
* This release fixes a problem that caused Fedora Core 7 to fail with an ASSERT when issuing SCSI commands that have illegal targets. This problem is not clearly exploitable by a normal user.
* This release fixes a problem that could cause Linux virtual machines with VMI-enabled kernels to run very slowly after being rebooted repeatedly.
* This release fixes a problem that could cause a virtual machine to fail at power-on when using a sound card with more than two mixer channels on a Windows 32-bit host.
* This release fixes a problem that could cause a 64-bit Solaris 10 virtual machine to fail at power-on after being updated with Solaris Update Patch 125038-04.
* This release fixes a problem that resulted from a conflict between Linux guest operating systems with kernel version 2.6.21 and RTC-related processes on the host. This problem caused the virtual machine to quit unexpectedly.
* This release fixes a problem that caused the hostd to quit unexpectedly in virtual machines with a corrupted snapshot.
* This release fixes a problem that prevented virtual machines running Fedora Core 7 from properly recognizing LSILogic SCSI devices.
* This release fixes a problem that prevented the VMware vmmon module from building correctly on hosts running Linux with kernel version 2.6.20-rc1.
* This release fixes a problem that prevented the VMware vmnet module from building correctly on hosts running Linux with kernel versions higher than 2.6.21.
* This release fixes a problem that could corrupt the guest's memory on hosts running Linux with kernel versions higher than 2.6.21.
* This release fixes the following problem: when a user attempts to access a virtual machine through the Windows remote VMware Service Console, and the user does not have execute permission on the virtual machine configuration (.vmx) file, the display is blank with no indication of the actual problem. This release adds an error message in this circumstance, to advise the user that execute access is required to connect to the virtual machine with the VMware Service Console.
* This release fixes a problem with virtual machines running Red Hat Linux 7.1, kernel version 2.4.2, that caused the guest operating system to become unresponsive during the installation of VMware Tools, after the user selected the default display size.
* This release fixes a problem that prevented VMware Player from launching. This problem was accompanied by the error message VMware Player unrecoverable error: (player) Exception 0xc0000005 (access violation) has occurred. This problem could result in a security vulnerability from some images stored in virtual machines downloaded by the user.
Security Issues Resolved in VMware Server 1.0.4
* This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4496.
Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.
* This release fixes a security vulnerability that could allow a guest operating system user without administrator privileges to cause a host process to become unresponsive or exit unexpectedly, making the guest operating system unusable. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4497.
Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.
* This release fixes several security vulnerabilities in the VMware DHCP server that could enable a malicious web page to gain system-level privileges.
Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following names to these issues: CVE-2007-0061, CVE-2007-0062, CVE-2007-0063.
* This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file IntraProcessLogging.dll to overwrite files in a system.
Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4059.
* This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system.
Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following names to this issue: CVE-2007-4155.
* This release fixes a security vulnerability in which VMware Server was starting registered Windows services such as the Authorization service with "bare" (unquoted) paths, such as c:program filesvmware.... Applications and services in Windows must be started with a quoted path. This vulnerability could allow a malicious user to escalate user privileges.
Thanks to Foundstone for discovering this vulnerability.
* This release fixes a problem that could cause user passwords to be printed in cleartext in some VMware Server logs.
版本下載:VMware Server 1.0.4
VMware Server 1.0.3
更新細節:
Issues Resolved in VMware Server 1.0.3
* This release fixes a problem with VMware Tools that caused the guest to run out of memory.
* VMware Server 1.0.3 fixes a bug introduced in the VMware Server version 1.0.2 VIX API. As a result of this bug, if Vix_ReleaseHandle (vmhandle) and VixHost_Disconnect (hosthandle) are called, a crash occurs in VixHost_Disconnect(). This crash is accompanied by the following error message:
VMware Server Error:
VMware Server unrecoverable error: (app)
ASSERT /build/mts/release/bora-39867/pompeii2005/bora/lib/vmdb/vmdbCtx.c:487 bugNr=23952
A log file is available in "/tmp/vmware-mark/vix-3749.log". Please request support and include the contents of the log file.
To collect files to submit to VMware support, run vm-support.
We will respond on the basis of your support entitlement.
Security Issues Resolved in VMware Server 1.0.3
* Virtual machines can be put in various states of suspension, as specified by the ACPI power management standard. When returning from a sleep state (S2) to the run state (S0), the virtual machine process (VMX) collects information about the last recorded running state for the virtual machine. Under some circumstances, VMX read state information from an incorrect memory location. This issue could be used to complete a successful Denial-of-Service attack where the virtual machine would need to be rebooted.
Thanks to Tavis Ormandy of Google for identifying this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE- 2007-1337 to this issue.
* Some VMware products support storing configuration information in VMware system files. Under some circumstances, a malicious user could instruct the virtual machine process (VMX) to store malformed data, causing an error. This error could enable a successful Denial-of-Service attack on guest operating systems.
Thanks to Sungard Ixsecurity for identifying this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1877 to this issue.
* Some VMware products managed memory in a way that failed to gracefully handle some general protection faults (GPFs) in Windows guest operating systems. A malicious user could use this vulnerability to crash Windows virtual machines. While this vulnerability could allow an attacker to crash a virtual machine, we do not believe it was possible to escalate privileges or escape virtual containment.
Thanks to Ruben Santamarta of Reversemode for identifying this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1069 to this issue.
* In a 64-bit Windows guest on a 64-bit host, debugging local programs could create system instability. Using a debugger to step into a syscall instruction may corrupt the virtual machine's register context. This corruption produces unpredictable results including corrupted stack pointers, kernel bugchecks, or vmware-vmx process failures.
Thanks to Ken Johnson for identifying this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1876 to this issue.
版本下載:VMware Server 1.0.3
VMware Server 1.0.2
更新細節:
Issues Resolved in VMware Server 1.0.2
* This release fixes certain memory leaks in VMware Tools on Windows guests.
* The vm-support script, which collects log files and other system information, now collects the bootloader configuration file.
* This release includes improved support for Intel family F processors.
* This release includes new support for Intel Rockton processors.
* This release fixes a bug that, under rare conditions, caused a crash when many virtual machines were booting under a heavy load.
* This release includes prebuilt modules for VMware Tools for SuSE SLES 10.
* This release fixes a bug that sometimes caused an assertion failure when calling VixVM_Open on an unregistered virtual machine.
* Starting in this release, guest.commands.allowAnonRootGuestCommandsOnHost and guest.commands.allowAnonRootGuestCommands settings can no longer be included in the .vmx file. To affect all the virtual machines on the host, you can include these settings in the global configuration file $LIBDIR/settings or CommonAppDatasettings.ini.
* Kernel modules now build on 2.6.18 kernels.
* Kernel modules now build on Debian's 2.6.17 kernels.
* HGFS now builds on 2.6.18-rc1 kernels.
* This release fixes a bug that occasionally caused a crash when uninstalling VMware Server just after resuming a Windows host system.
* This release fixes a bug that occasionally crashed 64-bit Windows Server 2003 Enterprise Edition hosts with SP1.
* This release fixes a bug that occasionally caused direct execution errors in V8086 mode when running 16-bit DOS applications in a Windows guest. This fix prevents direct execution errors that are caused by the sysenter instruction being improperly handled, and thus enables DOS applications to execute properly.
* CD-ROM and DVD-ROM emulation now work correctly in Vista guests.
* Vmnet compilation now works correctly for bridged networking on 2.6.18 or higher kernels.
* This release fixes a bug that, under rare conditions, caused guest memory to become corrupted.
* Second and subsequent snapshots no longer contain the absolute path to the base .vmdk file. This fix allows the virtual machine to be moved to another machine.
* This release fixes a bug that, under rare conditions, caused a system panic with sunfire 4100 hardware on a RedHat 4 64-bit guest.
* This release fixes a bug that occasionally caused Windows guests with dual vmxnet adapters to lose network connectivity.
* This release fixes a bug that occasionally caused a core dump when opening and powering on a FreeBSD6.0 guest and invoking VMware Tools.
* VMware Server 1.0.2 now correctly uses 2-CPU licenses instead of 8-CPU licenses on quad core machines.
* This release fixes a bug that occasionally caused a hang on RedHat Enterprise Linux 3 U5 virtual machines.
Security Issues Resolved in VMware Server 1.0.2
* This release fixes a security issue that could allow a malicious user to crash Windows guest operating systems. Rubén Santamarta of Reversemode discovered a vulnerability in the way that VMware delivered General Protection Faults to Windows guest operating systems, which is now fixed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1069 to this issue.
* This release fixes a security issue with the configuration program vmware-config, which could set incorrect permissions and umask on SSL key files. Local users might have been able to obtain access to the SSL key files. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3589 to this issue.
Note: The affected files include /usr/bin/vmware-config.pl and /usr/bin/vmware-config-mui.pl.
* RunProgramInGuest was being executed as SYSTEM in Windows guests. Now it executes as the user running it with that user's permissions.
版本下載:VMware Server 1.0.2