From: Katy Feng Date: Thu, 26 Oct 2023 15:35:59 +0000 (-0700) Subject: Update the ReleaseNotes.md for the 12.3.5 open-vm-tools release. X-Git-Tag: stable-12.3.5~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6acd1f6742a8fc0dea9cabf7ba15416a2daf5075;p=thirdparty%2Fopen-vm-tools.git Update the ReleaseNotes.md for the 12.3.5 open-vm-tools release. --- diff --git a/ReleaseNotes.md b/ReleaseNotes.md index c7dd4ca09..beaffc7e6 100644 --- a/ReleaseNotes.md +++ b/ReleaseNotes.md @@ -1,8 +1,8 @@ -# open-vm-tools 12.3.0 Release Notes +# open-vm-tools 12.3.5 Release Notes -Updated on: 31 August 2023 +Updated on: 26 October 2023 -open-vm-tools | 31 AUGUST 2023 | Build 22234872 +open-vm-tools | 26 OCTOBER 2023 | Build 22544099 Check back for additions and updates to these release notes. @@ -10,7 +10,7 @@ Check back for additions and updates to these release notes. The release notes cover the following topics: -- [open-vm-tools 12.3.0 Release Notes](#open-vm-tools-1230-release-notes) +- [open-vm-tools 12.3.5 Release Notes](#open-vm-tools-1235-release-notes) - [What's in the Release Notes](#whats-in-the-release-notes) - [What's New](#whats-new) - [End of Feature Support Notice](#end-of-feature-support-notice) @@ -22,13 +22,15 @@ The release notes cover the following topics: ## What's New -This release resolves CVE-2023-20900. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. +* This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. + +* This release resolves CVE-2023-34059 which only affects open-vm-tools. * Please see the [Resolved Issues](#resolvedissues) and [Known Issues](#knownissues) sections below. -* A complete list of the granular changes in the open-vm-tools 12.3.0 release is available at: +* A complete list of the granular changes in the open-vm-tools 12.3.5 release is available at: - [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog) + [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog) ## End of Feature Support Notice @@ -38,7 +40,7 @@ This release resolves CVE-2023-20900. For more information on this vulnerability ## Internationalization -open-vm-tools 12.3.0 is available in the following languages: +open-vm-tools 12.3.5 is available in the following languages: * English * French @@ -60,66 +62,32 @@ The [VMware Product Interoperability Matrix](http://partnerweb.vmware.com/comp_ ## Resolved Issues -* **This release resolves CVE-2023-20900.** - - For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - -* **Linux quiesced snapshot: "SyncDriver: failed to freeze '_filesystem_'"** - - The open-vm-tools 12.2.0 release had an update to the Linux quiesced snapshot operation that would avoid starting a quiesced snapshot if a filesystem had already been frozen by another process. See the [Resolved Issues](https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ReleaseNotes.md#-resolved-issues) section in the open-vm-tools 12.2.0 Release Notes. That fix may have been backported into earlier versions of open-vm-tools by Linux vendors. - - It is possible that filesystems are being frozen in custom pre-freeze scripts to control the order in which those specific filesystems are to be frozen. The vmtoolsd process **must be informed** of all such filesystems with the help of "excludedFileSystems" setting of tools.conf. - - ``` - [vmbackup] - - excludedFileSystems=/opt/data,/opt/app/project-*,... - ``` - - A temporary workaround is available (starting from open-vm-tools 12.3.0) for system administrators to quickly allow a quiescing operation to succeed until the "excludedFileSystems" list can be configured. Note, if another process thaws the file system while a quiescing snapshot operation is ongoing, the snapshot may be compromised. Once the "excludedFileSystems" list is configured this setting MUST be unset (or set to false). - - ``` - [vmbackup] - - ignoreFrozenFileSystems = true - ``` - - This workaround is provided in the source file changes in - - https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2 - - and at Linux vendors' discretion, may be backported to earlier versions of open-vm-tools. - -* **A number of Coverity reported issues have been addressed.** +* **This release resolves CVE-2023-34058.** -* **Component Manager / salt-minion: New InstallStatus "UNMANAGED".** + For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. - Salt-minion added support for "ExternalInstall" (106) to indicate an older version of salt-minion is installed on the vm and cannot be managed by the svtminion.* scripts. The Component Manager will track that as "UNMANAGED" and take no action. + open-vm-tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H -* **The following pull requests and issues have been addressed** + A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias. - * Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES + Note: While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that must be addressed. - [Issue #638](https://github.com/vmware/open-vm-tools/issues/638) - [Pull request #639](https://github.com/vmware/open-vm-tools/pull/639) + A patch for earlier versions of open-vm-tools is available at [CVE-2023-34058.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch). - * Invalid argument with "\\" in Linux username (Active Directory user) +* **This release resolves CVE-2023-34059.** - [Issue #641](https://github.com/vmware/open-vm-tools/issues/641) + open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4. - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - * Improve POSIX guest identification + A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. - [Issue #647](https://github.com/vmware/open-vm-tools/issues/647) - [Issue #648](https://github.com/vmware/open-vm-tools/issues/648) + A patch for earlier versions of open-vm-tools is available at [CVE-2023-34059.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch). - * Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib" +* **The following github.com/vmware/open-vm-tools issue have been addressed** - [Issue #658](https://github.com/vmware/open-vm-tools/issues/658) + * Better cooperation between deployPkg plugin and cloud-init concerning location of 'disable_vmware_customization' flag. - * Fix build problems with grpc + [Issue #310](https://github.com/vmware/open-vm-tools/issues/310) - [Pull request #664](https://github.com/vmware/open-vm-tools/pull/664) - [Issue #676](https://github.com/vmware/open-vm-tools/issues/676) ## Known Issues