Debian Bug report logs -
#1050970
open-vm-tools: CVE-2023-20900
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 31 Aug 2023 20:09:01 UTC
Severity: grave
Tags: security, upstream
Found in versions open-vm-tools/2:12.2.5-1, open-vm-tools/2:12.2.0-1, open-vm-tools/2:11.2.5-2
Fixed in versions open-vm-tools/2:12.3.0-1, open-vm-tools/2:12.2.0-1+deb12u1, open-vm-tools/2:11.2.5-2+deb11u2
Done: Bernd Zeimetz <bzed@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Thu, 31 Aug 2023 20:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Bernd Zeimetz <bzed@debian.org>.
(Thu, 31 Aug 2023 20:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Version: 2:12.2.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for open-vm-tools.
CVE-2023-20900[0]:
| VMware Tools contains a SAML token signature bypass vulnerability. A
| malicious actor with man-in-the-middle (MITM) network positioning
| between vCenter server and the virtual machine may be able to bypass
| SAML token signature verification, to perform VMware Tools Guest
| Operations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-20900
https://www.cve.org/CVERecord?id=CVE-2023-20900
[1] https://www.openwall.com/lists/oss-security/2023/08/31/1
[2] https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Wed, 06 Sep 2023 07:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Ehrhardt <christian.ehrhardt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Wed, 06 Sep 2023 07:30:04 GMT) (full text, mbox, link).
Message #10 received at 1050970@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
FYI I'm currently preparing 12.3.0 (see bug 1050972) which will close this
bug for trixie.
--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd
[Message part 2 (text/html, inline)]
Reply sent
to Christian Ehrhardt <christian.ehrhardt@canonical.com>:
You have taken responsibility.
(Wed, 06 Sep 2023 09:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 06 Sep 2023 09:09:03 GMT) (full text, mbox, link).
Message #15 received at 1050970-close@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Source-Version: 2:12.3.0-1
Done: Christian Ehrhardt <christian.ehrhardt@canonical.com>
We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1050970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Ehrhardt <christian.ehrhardt@canonical.com> (supplier of updated open-vm-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Sep 2023 09:00:51 +0200
Source: open-vm-tools
Built-For-Profiles: noudeb
Architecture: source
Version: 2:12.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Closes: 1050970 1050972
Changes:
open-vm-tools (2:12.3.0-1) unstable; urgency=high
.
* [4ed4be4] New upstream version 12.3.0
(Closes: #1050972)
CVE-2023-20900
Adressing this CVE also Closes: #1050970
There are no new features in the open-vm-tools 12.3.0 release. This is
primarily a maintenance release, details can be found at
https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md
* [779d338] drop d/p/debian/grpc_1.51: no more needed
Checksums-Sha1:
6f13ae7985b728a7df08e1912f56d5f4ede3dcdb 2912 open-vm-tools_12.3.0-1.dsc
d1220422d16e9573d3f2afbf27c1deaaaa7b4ee6 2984891 open-vm-tools_12.3.0.orig.tar.gz
bb42d578cc1dd41ad18ffd53a0d63580ac0e30f6 33944 open-vm-tools_12.3.0-1.debian.tar.xz
e3be7d6f0acb851b48e15ca5d811d1f7eb63ab1b 17490 open-vm-tools_12.3.0-1_source.buildinfo
Checksums-Sha256:
9830b2b0bf6ff677a6ac0c39e200af69388f59ffe1c8f0e3ed5156db469d206e 2912 open-vm-tools_12.3.0-1.dsc
c69f7bcd4262726758302d20e594b2f11012334c9e53c47dabf8f4d0fdd16fff 2984891 open-vm-tools_12.3.0.orig.tar.gz
e2adde0860e7de634d30643b486f71dacf6c1d20c6b75caceedb566446263e10 33944 open-vm-tools_12.3.0-1.debian.tar.xz
9e94ef3e9bef4c239193a4755f7bda73119232665a3ce378034e4004ee1a7fee 17490 open-vm-tools_12.3.0-1_source.buildinfo
Files:
0424ac73af2ba346a3c3c7617c97c29a 2912 admin optional open-vm-tools_12.3.0-1.dsc
7f4c11b8e63a1cae6a77d80dd353a792 2984891 admin optional open-vm-tools_12.3.0.orig.tar.gz
46a91c9ce04651856ef41963407c34fa 33944 admin optional open-vm-tools_12.3.0-1.debian.tar.xz
68686b8e52cdf7260794cfc497d69601 17490 admin optional open-vm-tools_12.3.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEktYY9mjyL47YC+71uj4pM4KAskIFAmT4PLcACgkQuj4pM4KA
skItWg//ck35ejT4KizQ0ri0qjY/EtgdnNH9hvn8kxJWryqpS4vK62EGZbozcPSh
JnwlG8yiCFoL0gcLhuPB00xLBMhhBvFTn6hi64jQPEKUArU244RKIZkhARhwD44L
S4/+8hLOG9s+FDp9WxHWWHKa38xAbJBWSJQQaKVRJmfHvVR/eXH8BNJwlyUDbPte
ECeiB5NObyfFnUFuXQg3FoSQOkkvakR7XCxzO+BfRFDBp9WefReoo2OW28z4eAnJ
+zTTnXWDY2ihHYmNNyl7+m2ybRFkRusWYu4z1Pu5t7B244OQ6x7yC37HrRJcCr1f
rCDmJRkAmTGXjIy1XPC/sUQROL1dMdL7WvlprPm4D0AMCNng/GOicru2A1Fozgqx
g+cTzBgp3Eo+k5E298c831kgIpi1PDXvc7mI78QOIKpVFl53EOeoZvEqvFdFK4mf
HYRO1/lEwkbli0ZRE5T0eCYYz+f4fgXsBIXwkmJIONEX59WRcP3RSIm4Fy4MLW3i
Vam5k5jd9nDiCX0sT12UsLyC2vuOFbgXUmAe5khMehhgNFcmpDWxihmIMDemYQnK
KjNEk8SzjSaudiSbNzE1X5F9g39fsgHh1z1QI/G31BbPLPXkzYGL42oXo+LNim8M
H0imlWB8d8FdxitUiA1Vf4PINUaxsmd+rX3xFjWtd73aGJHFNqE=
=r7ad
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Wed, 06 Sep 2023 18:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Wed, 06 Sep 2023 18:21:03 GMT) (full text, mbox, link).
Message #20 received at 1050970@bugs.debian.org (full text, mbox, reply):
On 2023-09-06 20:11, Bernd Zeimetz wrote:
> Hi security team,
>
> I'm preparing security uploads for bookworm-security and
> buster-security
(bullseye-security of course... - we clearly have too many relases with
bu....)
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Wed, 06 Sep 2023 18:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Wed, 06 Sep 2023 18:21:04 GMT) (full text, mbox, link).
Message #25 received at 1050970@bugs.debian.org (full text, mbox, reply):
Hi security team,
I'm preparing security uploads for bookworm-security and buster-security
for
> CVE-2023-20900[0]:
> | VMware Tools contains a SAML token signature bypass vulnerability. A
> | malicious actor with man-in-the-middle (MITM) network positioning
> | between vCenter server and the virtual machine may be able to bypass
> | SAML token signature verification, to perform VMware Tools Guest
> | Operations.
>
any objections against fixing CVE-2023-20867 at the same time?
Its a minor issue so we did not fix it, but I think it doesn't hurt
to include it in stable/oldstable uploads while we are at it.
Current (untested) diff would be:
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/commit/3812674370c07c708744c0d1d497583dffa3d665
Thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Wed, 06 Sep 2023 19:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Wed, 06 Sep 2023 19:09:02 GMT) (full text, mbox, link).
Message #30 received at 1050970@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 06, 2023 at 08:11:17PM +0200, Bernd Zeimetz wrote:
> Hi security team,
>
> I'm preparing security uploads for bookworm-security and buster-security
> for
>
> > CVE-2023-20900[0]:
> > | VMware Tools contains a SAML token signature bypass vulnerability. A
> > | malicious actor with man-in-the-middle (MITM) network positioning
> > | between vCenter server and the virtual machine may be able to bypass
> > | SAML token signature verification, to perform VMware Tools Guest
> > | Operations.
> >
>
> any objections against fixing CVE-2023-20867 at the same time?
> Its a minor issue so we did not fix it, but I think it doesn't hurt
> to include it in stable/oldstable uploads while we are at it.
Ack, that's perfectly fine!
> Current (untested) diff would be:
>
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/commit/3812674370c07c708744c0d1d497583dffa3d665
I'll have a look tomorrow.
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 06 Sep 2023 19:21:06 GMT) (full text, mbox, link).
Marked as found in versions open-vm-tools/2:12.2.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 06 Sep 2023 19:21:07 GMT) (full text, mbox, link).
Marked as found in versions open-vm-tools/2:11.2.5-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 06 Sep 2023 19:21:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Thu, 07 Sep 2023 09:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 07 Sep 2023 09:45:10 GMT) (full text, mbox, link).
Message #41 received at 1050970@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
> Ack, that's perfectly fine!
>
Thanks!
Here are the current diffs:
bullseye:
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/compare/15b2b38edd7834b7ad93ae25831fc7ef2bf7ce28...bullseye?from_project_id=38835&straight=false
bookworm:
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/compare/2231c605efb0564efee229d6c535033159cc92bc...bookworm?from_project_id=38835&straight=false
> I'll have a look tomorrow.
Thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Thu, 07 Sep 2023 09:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 07 Sep 2023 09:48:04 GMT) (full text, mbox, link).
Message #46 received at 1050970@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 07, 2023 at 11:43:27AM +0200, Bernd Zeimetz wrote:
> Hi Moritz,
>
> > Ack, that's perfectly fine!
> >
>
> Thanks!
>
> Here are the current diffs:
>
> bullseye:
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/compare/15b2b38edd7834b7ad93ae25831fc7ef2bf7ce28...bullseye?from_project_id=38835&straight=false
>
> bookworm:
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/compare/2231c605efb0564efee229d6c535033159cc92bc...bookworm?from_project_id=38835&straight=false
These look good, please upload to security-master. bookworm needs to be build with -sa sicne it's the first upload,
bullseye doesn't. Thanks!
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#1050970; Package src:open-vm-tools.
(Thu, 07 Sep 2023 16:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 07 Sep 2023 16:27:03 GMT) (full text, mbox, link).
Message #51 received at 1050970@bugs.debian.org (full text, mbox, reply):
>
Hi,
> > https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/compare/15b2b38edd7834b7ad93ae25831fc7ef2bf7ce28...bullseye?from_project_id=38835&straight=false
> >
> > bookworm:
> > https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/compare/2231c605efb0564efee229d6c535033159cc92bc...bookworm?from_project_id=38835&straight=false
>
> These look good, please upload to security-master. bookworm needs to
> be build with -sa sicne it's the first upload,
> bullseye doesn't. Thanks!
>
Both uploaded (and fixed the version for the bookworm upload before
uploading, seems dch still lives in bullseye...).
Cheers,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply sent
to Bernd Zeimetz <bzed@debian.org>:
You have taken responsibility.
(Tue, 12 Sep 2023 18:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Sep 2023 18:51:05 GMT) (full text, mbox, link).
Message #56 received at 1050970-close@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Source-Version: 2:12.2.0-1+deb12u1
Done: Bernd Zeimetz <bzed@debian.org>
We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1050970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated open-vm-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Sep 2023 20:01:06 +0200
Source: open-vm-tools
Binary: open-vm-tools open-vm-tools-containerinfo open-vm-tools-containerinfo-dbgsym open-vm-tools-dbgsym open-vm-tools-desktop open-vm-tools-desktop-dbgsym open-vm-tools-dev open-vm-tools-salt-minion open-vm-tools-sdmp open-vm-tools-sdmp-dbgsym
Architecture: source amd64
Version: 2:12.2.0-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Description:
open-vm-tools - Open VMware Tools for virtual machines hosted on VMware (CLI)
open-vm-tools-containerinfo - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu
open-vm-tools-desktop - Open VMware Tools for virtual machines hosted on VMware (GUI)
open-vm-tools-dev - Open VMware Tools for virtual machines hosted on VMware (developm
open-vm-tools-salt-minion - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu
open-vm-tools-sdmp - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu
Closes: 1050970
Changes:
open-vm-tools (2:12.2.0-1+deb12u1) bookworm-security; urgency=medium
.
* [3812674] Fixing CVE-2023-20867, CVE-2023-20900
- Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867)
A fully compromised ESXi host can force VMware Tools to fail to
authenticate host-to-guest operations, impacting the confidentiality
and integrity of the guest virtual machine.
- SAML token signature bypass vulnerability (CVE-2023-20900)
A malicious actor with man-in-the-middle (MITM) network positioning
between vCenter server and the virtual machine may be able to bypass
SAML token signature verification, to perform VMware Tools Guest
Operations. (Closes: #1050970)
* [fb0ab84] Updating gitlab CI and GBP to build in bookworm
Checksums-Sha1:
a2f8437766cff2f597ecf4c49eb2eaf23011e86b 2969 open-vm-tools_12.2.0-1+deb12u1.dsc
723692c71ad95322ea0d7ca3dab76e888bbe052d 1801276 open-vm-tools_12.2.0.orig.tar.xz
cbd9d85920d306554d937ef04b1858a7dc01447e 36212 open-vm-tools_12.2.0-1+deb12u1.debian.tar.xz
4b1490469b12bcf35ec32665bd778ae260c5c5e4 3188304 open-vm-tools-containerinfo-dbgsym_12.2.0-1+deb12u1_amd64.deb
675933e7199f8a4a6925fcce09658eac48b4e546 170120 open-vm-tools-containerinfo_12.2.0-1+deb12u1_amd64.deb
d90b9fed5119df359e41344261c0cca6a0ec9021 2735972 open-vm-tools-dbgsym_12.2.0-1+deb12u1_amd64.deb
2e907d2d7c2ed88d269a00e587d24eb65e9b0384 1552080 open-vm-tools-desktop-dbgsym_12.2.0-1+deb12u1_amd64.deb
e0aaf0c0e8b2b42c14d24bae63312796eb751501 151636 open-vm-tools-desktop_12.2.0-1+deb12u1_amd64.deb
7808ab4c5fb6c52e67484509c79292f6bf3110f2 509764 open-vm-tools-dev_12.2.0-1+deb12u1_amd64.deb
be545eb25c9bd9880c39e10f8b23409815d274e4 26632 open-vm-tools-salt-minion_12.2.0-1+deb12u1_amd64.deb
5bde11f939104f5e2505a07d97e4f938cdaf66f9 23684 open-vm-tools-sdmp-dbgsym_12.2.0-1+deb12u1_amd64.deb
b39ce5741381cac764bcb2d252789938f210ac1c 24752 open-vm-tools-sdmp_12.2.0-1+deb12u1_amd64.deb
bac665ad9f9833d95fd5c70547a40c9e1d5b18c2 25039 open-vm-tools_12.2.0-1+deb12u1_amd64.buildinfo
d6c3c5044e8d6f72659e8792ee36bccbd90e1ea2 685748 open-vm-tools_12.2.0-1+deb12u1_amd64.deb
Checksums-Sha256:
9e01b022bbbeb65c93633b77ad096e7607d80b38a13643fa8b0efc5e55c38881 2969 open-vm-tools_12.2.0-1+deb12u1.dsc
5fe62c535812358031c8157727803601885ffb82b3d41032c80415fbaa576ec5 1801276 open-vm-tools_12.2.0.orig.tar.xz
3e9f7b69e8b16d13896615f05375825eb8ee258db51496e2b4aaf7383fda2e88 36212 open-vm-tools_12.2.0-1+deb12u1.debian.tar.xz
02cf7418ddc9b4f045696bb283c074590bc2eef07b7cf03873a99753d492b7c6 3188304 open-vm-tools-containerinfo-dbgsym_12.2.0-1+deb12u1_amd64.deb
434f07401221dc68adb7ec2508e935e3a8e0a5e189a5a184ba967a8652ccb7fb 170120 open-vm-tools-containerinfo_12.2.0-1+deb12u1_amd64.deb
159c719bef72fec5a25c3d13254c9143079d1cbc3be488a0d0849895d0f020af 2735972 open-vm-tools-dbgsym_12.2.0-1+deb12u1_amd64.deb
ca67244e7582996935bdd007cc2f72da4b8632ee851caa6f918b207e87de09f9 1552080 open-vm-tools-desktop-dbgsym_12.2.0-1+deb12u1_amd64.deb
40148fc2ac55ee68f46d254fa347119dd7809c41b987490705d1e438c2a88cd6 151636 open-vm-tools-desktop_12.2.0-1+deb12u1_amd64.deb
ed296edbecc2c4520079ab1fadb8c070c92256627eb0aa2f6705ab5a4e43dec6 509764 open-vm-tools-dev_12.2.0-1+deb12u1_amd64.deb
843f83deeef1a0886b515edacaaf43ed485b00ac38a1da966762442d0cc1d45a 26632 open-vm-tools-salt-minion_12.2.0-1+deb12u1_amd64.deb
5edb9a880cbcb4cc390598bc94c04755917aa301cb574385eacc0c78802cd940 23684 open-vm-tools-sdmp-dbgsym_12.2.0-1+deb12u1_amd64.deb
30ec8ebdfbc16b28bad0ec76d3a7a90d53007eb940d5adcb2768dcbc7bf8b47c 24752 open-vm-tools-sdmp_12.2.0-1+deb12u1_amd64.deb
f29a916bc575e4d0acdd81432c3dc9446e30c87e32de05c93ae11257d3f35813 25039 open-vm-tools_12.2.0-1+deb12u1_amd64.buildinfo
71bbe9f7d49ddbef91d842bea243862a7b9870f623cbbf1c4de93c58584bdcd8 685748 open-vm-tools_12.2.0-1+deb12u1_amd64.deb
Files:
d1165e31f16bea9e17be96b8b23ed882 2969 admin optional open-vm-tools_12.2.0-1+deb12u1.dsc
ae95b00298a92b1f5c64873bd06c98e4 1801276 admin optional open-vm-tools_12.2.0.orig.tar.xz
7a20b7cff35d64b27e99dc4a72e449c5 36212 admin optional open-vm-tools_12.2.0-1+deb12u1.debian.tar.xz
4daf2c0a2b527fab37fbea676b782d22 3188304 debug optional open-vm-tools-containerinfo-dbgsym_12.2.0-1+deb12u1_amd64.deb
ddcb43ddfd923b5cd2b7214259686c64 170120 admin optional open-vm-tools-containerinfo_12.2.0-1+deb12u1_amd64.deb
cd8a16989c9a91a5d75488d672a97a15 2735972 debug optional open-vm-tools-dbgsym_12.2.0-1+deb12u1_amd64.deb
af555e6900a25faf1a9c1d385d9eb606 1552080 debug optional open-vm-tools-desktop-dbgsym_12.2.0-1+deb12u1_amd64.deb
cdd187496da857de7216448c4a09c0c6 151636 admin optional open-vm-tools-desktop_12.2.0-1+deb12u1_amd64.deb
11174b13cad1c3e9f1a4fa2b03247d10 509764 devel optional open-vm-tools-dev_12.2.0-1+deb12u1_amd64.deb
40c0026c1472dce8455697e2919c6c11 26632 admin optional open-vm-tools-salt-minion_12.2.0-1+deb12u1_amd64.deb
240414ebb3a297b888cee4272926f2ee 23684 debug optional open-vm-tools-sdmp-dbgsym_12.2.0-1+deb12u1_amd64.deb
775339e7186488fb9cfa63dfd98a411c 24752 admin optional open-vm-tools-sdmp_12.2.0-1+deb12u1_amd64.deb
ec6bb8bac23c1235111cdf8c312db994 25039 admin optional open-vm-tools_12.2.0-1+deb12u1_amd64.buildinfo
01adb657fa82ee48639f68d075b85596 685748 admin optional open-vm-tools_12.2.0-1+deb12u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmT58asQHGJ6ZWRAZGVi
aWFuLm9yZwAKCRDrNhcab/lDX24gEAC2F0hSOQNdDXX4tgPh+KNn5Q5a/qBwVPDn
gCpPQzlLuroQPMSHomACHZUI21vvdyGD3G6BbGOb4Fb8llaBcr1IuAD6YodAlM9s
7xTEm1/GbfFgahlRif+vQxt6rp3tS/435L05Kyk52PZgz2cMKBKmGuAB0zsNOr80
MUx0K3OK8pQOFwZEILFwQOkT1XrpSHQK+XaTmqAobEBaz3pMrY9Bjdff//toV6hz
Jjkg7KkPkfepRIjhioqXprwwMmt86Er0gSKm8CiCbCxq+iVdobvIkpBRKvtqjfJv
cm/Hk89PH7dY7Ls9QPFLxyoZAG4g85h07jLWSDtn1lQpgDqqbvDps8iL6uAI1/R4
8qf1nDoOIGdkEgOePXU6BdzeNchBDexR6/vYNK067uNNAYI8LcX/BOiO/kTw0FYw
aX2LBypWm2WlxMkuRtbTfpiY2J9UieeJDk0X+PyGzTL0oShwBhfNFVWrXrTTsHdE
USsU7PdGSXPXvFI9MmIqWizGK0yg+TwXSr/3crIf8zSUviNHykzU5BocXxH6GtHa
BELsEQeUa3x2hZw/LZ3+X/4BPVHcRQ93+EYptWGQsBZVIc3XWmNmHpBFX+3TZIa5
7C+LJs1GIKiVNyxqu5noBTlmFfaAik4GCCykNZuatXkem1YgzGgECqCR8Tje5D2v
5gHSrvZDbw==
=i+Fs
-----END PGP SIGNATURE-----
Reply sent
to Bernd Zeimetz <bzed@debian.org>:
You have taken responsibility.
(Tue, 12 Sep 2023 18:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Sep 2023 18:51:07 GMT) (full text, mbox, link).
Message #61 received at 1050970-close@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Source-Version: 2:11.2.5-2+deb11u2
Done: Bernd Zeimetz <bzed@debian.org>
We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1050970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated open-vm-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Sep 2023 20:17:28 +0200
Source: open-vm-tools
Binary: open-vm-tools open-vm-tools-dbgsym open-vm-tools-desktop open-vm-tools-desktop-dbgsym open-vm-tools-dev open-vm-tools-sdmp open-vm-tools-sdmp-dbgsym
Architecture: source amd64
Version: 2:11.2.5-2+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Description:
open-vm-tools - Open VMware Tools for virtual machines hosted on VMware (CLI)
open-vm-tools-desktop - Open VMware Tools for virtual machines hosted on VMware (GUI)
open-vm-tools-dev - Open VMware Tools for virtual machines hosted on VMware (developm
open-vm-tools-sdmp - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu
Closes: 1050970
Changes:
open-vm-tools (2:11.2.5-2+deb11u2) bullseye-security; urgency=high
.
* [29e736e] Fixing CVE-2023-20867, CVE-2023-20900
- Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867)
A fully compromised ESXi host can force VMware Tools to fail to
authenticate host-to-guest operations, impacting the confidentiality
and integrity of the guest virtual machine.
- SAML token signature bypass vulnerability (CVE-2023-20900)
A malicious actor with man-in-the-middle (MITM) network positioning
between vCenter server and the virtual machine may be able to bypass
SAML token signature verification, to perform VMware Tools Guest
Operations. (Closes: #1050970)
Checksums-Sha1:
00b48931dc1db0f8219b59b3cacda160df049884 2521 open-vm-tools_11.2.5-2+deb11u2.dsc
11860715e4fef9615e93afa33e2fe9daa005a6b7 33852 open-vm-tools_11.2.5-2+deb11u2.debian.tar.xz
89781142cdfeb9445067af478e0dd35c8eb77863 1972124 open-vm-tools-dbgsym_11.2.5-2+deb11u2_amd64.deb
c57d1c1dab71ca059b261bc27fca18d0d0242648 1364760 open-vm-tools-desktop-dbgsym_11.2.5-2+deb11u2_amd64.deb
4da8ba85a8120f70bb261412e647a515f65d1315 166236 open-vm-tools-desktop_11.2.5-2+deb11u2_amd64.deb
7f51217a64a057d701c4b83ea316b7c4262d81f7 501424 open-vm-tools-dev_11.2.5-2+deb11u2_amd64.deb
2ed6fbace829e2feb33a4a7c635e40b39d923b22 19308 open-vm-tools-sdmp-dbgsym_11.2.5-2+deb11u2_amd64.deb
9030d895ce7c2dabfca1e805179d3f1b3ac5d17f 39552 open-vm-tools-sdmp_11.2.5-2+deb11u2_amd64.deb
7e76861254f55f44b9ca862efb58df6e6dde9d58 18376 open-vm-tools_11.2.5-2+deb11u2_amd64.buildinfo
610c7094e69bccdb14068810ace45d2ce3bb8f64 630288 open-vm-tools_11.2.5-2+deb11u2_amd64.deb
Checksums-Sha256:
847f40d93ae1dd429d63cce59871abb943ffdb794a37be92903555be7baf17db 2521 open-vm-tools_11.2.5-2+deb11u2.dsc
9205b77562eb24c482dc64f315c65867724a55b5e8677923c3cdfcfc27acd526 33852 open-vm-tools_11.2.5-2+deb11u2.debian.tar.xz
699f9dbd0d0d6f596552d162df38e5fe49409790a1e30ce948dd01eacd94cd7e 1972124 open-vm-tools-dbgsym_11.2.5-2+deb11u2_amd64.deb
ec1e555fa0aa12663655099f976acc968256fd94e00d72a127c9dd4d771c19b9 1364760 open-vm-tools-desktop-dbgsym_11.2.5-2+deb11u2_amd64.deb
68ac335b77cd03aa86ab9285d482f9639dcf08f59d6ef88f5aba86dadb5c30fd 166236 open-vm-tools-desktop_11.2.5-2+deb11u2_amd64.deb
63d656420e28c6b3825ef3b348e55a2d2834a92ab827db9033383486a07502f3 501424 open-vm-tools-dev_11.2.5-2+deb11u2_amd64.deb
7d24b0e3775bb4a15a4c727e8027d3222abd45e77f3eaa61ffb7808266a040cf 19308 open-vm-tools-sdmp-dbgsym_11.2.5-2+deb11u2_amd64.deb
834f2f09b08df6a239c30a92c31bd72effa0a366f5bff115b7e9bb811c7a0f18 39552 open-vm-tools-sdmp_11.2.5-2+deb11u2_amd64.deb
164604369757251be8ce9f6db3e8c351176518b1f33baf204c2e2b4abba86866 18376 open-vm-tools_11.2.5-2+deb11u2_amd64.buildinfo
bd0b0140d135e5d6d56a4d2b841444adeace924bd04916091c5f8133da903c97 630288 open-vm-tools_11.2.5-2+deb11u2_amd64.deb
Files:
7cfb7e02a83e46628e84060fc5266b61 2521 admin optional open-vm-tools_11.2.5-2+deb11u2.dsc
183108c0d74a742c62be1eac0ee86f10 33852 admin optional open-vm-tools_11.2.5-2+deb11u2.debian.tar.xz
0acb3c2c0a4da7d3789051cb4a07c3f0 1972124 debug optional open-vm-tools-dbgsym_11.2.5-2+deb11u2_amd64.deb
c184815933f3e295e39854d144494f29 1364760 debug optional open-vm-tools-desktop-dbgsym_11.2.5-2+deb11u2_amd64.deb
560ce28cddcfbbdcdd3686889a3d15e8 166236 admin optional open-vm-tools-desktop_11.2.5-2+deb11u2_amd64.deb
7df2070581cc8a59a008d35eb4087e3c 501424 devel optional open-vm-tools-dev_11.2.5-2+deb11u2_amd64.deb
cf1f77eed4847ab15083939ff46f6e6d 19308 debug optional open-vm-tools-sdmp-dbgsym_11.2.5-2+deb11u2_amd64.deb
b43a439ebe2bb50fbe81e00db551a460 39552 admin optional open-vm-tools-sdmp_11.2.5-2+deb11u2_amd64.deb
a368906fd7397646ce14c124bd811386 18376 admin optional open-vm-tools_11.2.5-2+deb11u2_amd64.buildinfo
a95f48e60a72ef13834a86b151fd2042 630288 admin optional open-vm-tools_11.2.5-2+deb11u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmT592EQHGJ6ZWRAZGVi
aWFuLm9yZwAKCRDrNhcab/lDX84gEAC7eRYy1A146yObhZN1MBmyv14VbOQFp3fT
3up3PzhvCV4AhVaSToxhi7RDffuUITkCJ/zZvEoOUlDSiwf4rj4h/JFAdqUSrYdU
1GSnDFk6EG70HYo2U1R5ao4coBQm4XGLVwhWhnXqZ4X5MO7s2JbkEMBvPKWVMTxQ
GsIrzXMX+P4FAqHAksJ6vB45UCfNyNVATA8ZzyOSHZkkjri2EmLxzvJPZ1O4nQmf
K3Pi89m1R04a5z+e12+y1KP07iBVQKzI30p9LnGcOlg5V6WL81+EULLFqCX7s7pL
5YJ94OTjMVBqeby4RkcAqgPZXwzh4Sg1Za9W3OsjhYapffglI/D8RIqmkUTU3kMt
B/hOKYo4blLZOTunDd3TlqnISAIF+ZEZlAB7b06fKDRWJ9Le+kUwUvpBqiDdwHlv
i78oE649saWB+4wBx0aKdpqFfLl1ctF8JR/UwZjhRDXkXgaS/MmhdsUIBwAd7v6V
Fm7R84TQqR2l8uq6YESKlTXPilb7zAGUbDgwuCYXDB8vHFVcbAAf/1Jm3pZpiDGF
98QUapr1nmSBfqAopf1fDPdmFai31a9AI8pgc+i9dEJQVtQXeTZAhf6mJLBllmMv
6Qk+m3J3wjVZund+o2qrV2gmnY1BTG23lhzfa8o424Vtz6r91GBphMwY45iICDKh
iUhZeXD8kA==
=3UI2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 11 Oct 2023 07:29:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Nov 18 00:35:55 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.