Security Update for VMWare ESX 4.0.0
VMWare has released an update (direct download) for the Console-Package for VMWare ESX 4.0.0 which addresses weaknesses in udev, cURL and sudo. The errors in sudo and udev allowed a normal user to access root privilege.
The error in cURL allowed an attacker to look at files on the system or, potentially, write to them. This was caused by a automatic redirect feature which could redirect a http:// request from a server to a file:// local URL. The holes have been closed in the individual open source projects for several months.
See also:
- VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl, the VMWare security announcement.
- Security Update for cURL, a report from The H.
- Vulnerabilities in Linux allow root privileges, a report from The H.
(djwm)