Your message dated Tue, 12 Sep 2023 18:47:41 +0000 with message-id <e1qg8qh-00erde...@fasolo.debian.org> and subject line Bug#1050970: fixed in open-vm-tools 2:11.2.5-2+deb11u2 has caused the Debian Bug report #1050970, regarding open-vm-tools: CVE-2023-20900 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1050970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: open-vm-tools Version: 2:12.2.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for open-vm-tools. CVE-2023-20900[0]: | VMware Tools contains a SAML token signature bypass vulnerability. A | malicious actor with man-in-the-middle (MITM) network positioning | between vCenter server and the virtual machine may be able to bypass | SAML token signature verification, to perform VMware Tools Guest | Operations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-20900 https://www.cve.org/CVERecord?id=CVE-2023-20900 [1] https://www.openwall.com/lists/oss-security/2023/08/31/1 [2] https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: open-vm-tools Source-Version: 2:11.2.5-2+deb11u2 Done: Bernd Zeimetz <b...@debian.org> We believe that the bug you reported is fixed in the latest version of open-vm-tools, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1050...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernd Zeimetz <b...@debian.org> (supplier of updated open-vm-tools package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 06 Sep 2023 20:17:28 +0200 Source: open-vm-tools Binary: open-vm-tools open-vm-tools-dbgsym open-vm-tools-desktop open-vm-tools-desktop-dbgsym open-vm-tools-dev open-vm-tools-sdmp open-vm-tools-sdmp-dbgsym Architecture: source amd64 Version: 2:11.2.5-2+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Bernd Zeimetz <b...@debian.org> Changed-By: Bernd Zeimetz <b...@debian.org> Description: open-vm-tools - Open VMware Tools for virtual machines hosted on VMware (CLI) open-vm-tools-desktop - Open VMware Tools for virtual machines hosted on VMware (GUI) open-vm-tools-dev - Open VMware Tools for virtual machines hosted on VMware (developm open-vm-tools-sdmp - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu Closes: 1050970 Changes: open-vm-tools (2:11.2.5-2+deb11u2) bullseye-security; urgency=high . * [29e736e] Fixing CVE-2023-20867, CVE-2023-20900 - Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867) A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. - SAML token signature bypass vulnerability (CVE-2023-20900) A malicious actor with man-in-the-middle (MITM) network positioning between vCenter server and the virtual machine may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations. (Closes: #1050970) Checksums-Sha1: 00b48931dc1db0f8219b59b3cacda160df049884 2521 open-vm-tools_11.2.5-2+deb11u2.dsc 11860715e4fef9615e93afa33e2fe9daa005a6b7 33852 open-vm-tools_11.2.5-2+deb11u2.debian.tar.xz 89781142cdfeb9445067af478e0dd35c8eb77863 1972124 open-vm-tools-dbgsym_11.2.5-2+deb11u2_amd64.deb c57d1c1dab71ca059b261bc27fca18d0d0242648 1364760 open-vm-tools-desktop-dbgsym_11.2.5-2+deb11u2_amd64.deb 4da8ba85a8120f70bb261412e647a515f65d1315 166236 open-vm-tools-desktop_11.2.5-2+deb11u2_amd64.deb 7f51217a64a057d701c4b83ea316b7c4262d81f7 501424 open-vm-tools-dev_11.2.5-2+deb11u2_amd64.deb 2ed6fbace829e2feb33a4a7c635e40b39d923b22 19308 open-vm-tools-sdmp-dbgsym_11.2.5-2+deb11u2_amd64.deb 9030d895ce7c2dabfca1e805179d3f1b3ac5d17f 39552 open-vm-tools-sdmp_11.2.5-2+deb11u2_amd64.deb 7e76861254f55f44b9ca862efb58df6e6dde9d58 18376 open-vm-tools_11.2.5-2+deb11u2_amd64.buildinfo 610c7094e69bccdb14068810ace45d2ce3bb8f64 630288 open-vm-tools_11.2.5-2+deb11u2_amd64.deb Checksums-Sha256: 847f40d93ae1dd429d63cce59871abb943ffdb794a37be92903555be7baf17db 2521 open-vm-tools_11.2.5-2+deb11u2.dsc 9205b77562eb24c482dc64f315c65867724a55b5e8677923c3cdfcfc27acd526 33852 open-vm-tools_11.2.5-2+deb11u2.debian.tar.xz 699f9dbd0d0d6f596552d162df38e5fe49409790a1e30ce948dd01eacd94cd7e 1972124 open-vm-tools-dbgsym_11.2.5-2+deb11u2_amd64.deb ec1e555fa0aa12663655099f976acc968256fd94e00d72a127c9dd4d771c19b9 1364760 open-vm-tools-desktop-dbgsym_11.2.5-2+deb11u2_amd64.deb 68ac335b77cd03aa86ab9285d482f9639dcf08f59d6ef88f5aba86dadb5c30fd 166236 open-vm-tools-desktop_11.2.5-2+deb11u2_amd64.deb 63d656420e28c6b3825ef3b348e55a2d2834a92ab827db9033383486a07502f3 501424 open-vm-tools-dev_11.2.5-2+deb11u2_amd64.deb 7d24b0e3775bb4a15a4c727e8027d3222abd45e77f3eaa61ffb7808266a040cf 19308 open-vm-tools-sdmp-dbgsym_11.2.5-2+deb11u2_amd64.deb 834f2f09b08df6a239c30a92c31bd72effa0a366f5bff115b7e9bb811c7a0f18 39552 open-vm-tools-sdmp_11.2.5-2+deb11u2_amd64.deb 164604369757251be8ce9f6db3e8c351176518b1f33baf204c2e2b4abba86866 18376 open-vm-tools_11.2.5-2+deb11u2_amd64.buildinfo bd0b0140d135e5d6d56a4d2b841444adeace924bd04916091c5f8133da903c97 630288 open-vm-tools_11.2.5-2+deb11u2_amd64.deb Files: 7cfb7e02a83e46628e84060fc5266b61 2521 admin optional open-vm-tools_11.2.5-2+deb11u2.dsc 183108c0d74a742c62be1eac0ee86f10 33852 admin optional open-vm-tools_11.2.5-2+deb11u2.debian.tar.xz 0acb3c2c0a4da7d3789051cb4a07c3f0 1972124 debug optional open-vm-tools-dbgsym_11.2.5-2+deb11u2_amd64.deb c184815933f3e295e39854d144494f29 1364760 debug optional open-vm-tools-desktop-dbgsym_11.2.5-2+deb11u2_amd64.deb 560ce28cddcfbbdcdd3686889a3d15e8 166236 admin optional open-vm-tools-desktop_11.2.5-2+deb11u2_amd64.deb 7df2070581cc8a59a008d35eb4087e3c 501424 devel optional open-vm-tools-dev_11.2.5-2+deb11u2_amd64.deb cf1f77eed4847ab15083939ff46f6e6d 19308 debug optional open-vm-tools-sdmp-dbgsym_11.2.5-2+deb11u2_amd64.deb b43a439ebe2bb50fbe81e00db551a460 39552 admin optional open-vm-tools-sdmp_11.2.5-2+deb11u2_amd64.deb a368906fd7397646ce14c124bd811386 18376 admin optional open-vm-tools_11.2.5-2+deb11u2_amd64.buildinfo a95f48e60a72ef13834a86b151fd2042 630288 admin optional open-vm-tools_11.2.5-2+deb11u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmT592EQHGJ6ZWRAZGVi aWFuLm9yZwAKCRDrNhcab/lDX84gEAC7eRYy1A146yObhZN1MBmyv14VbOQFp3fT 3up3PzhvCV4AhVaSToxhi7RDffuUITkCJ/zZvEoOUlDSiwf4rj4h/JFAdqUSrYdU 1GSnDFk6EG70HYo2U1R5ao4coBQm4XGLVwhWhnXqZ4X5MO7s2JbkEMBvPKWVMTxQ GsIrzXMX+P4FAqHAksJ6vB45UCfNyNVATA8ZzyOSHZkkjri2EmLxzvJPZ1O4nQmf K3Pi89m1R04a5z+e12+y1KP07iBVQKzI30p9LnGcOlg5V6WL81+EULLFqCX7s7pL 5YJ94OTjMVBqeby4RkcAqgPZXwzh4Sg1Za9W3OsjhYapffglI/D8RIqmkUTU3kMt B/hOKYo4blLZOTunDd3TlqnISAIF+ZEZlAB7b06fKDRWJ9Le+kUwUvpBqiDdwHlv i78oE649saWB+4wBx0aKdpqFfLl1ctF8JR/UwZjhRDXkXgaS/MmhdsUIBwAd7v6V Fm7R84TQqR2l8uq6YESKlTXPilb7zAGUbDgwuCYXDB8vHFVcbAAf/1Jm3pZpiDGF 98QUapr1nmSBfqAopf1fDPdmFai31a9AI8pgc+i9dEJQVtQXeTZAhf6mJLBllmMv 6Qk+m3J3wjVZund+o2qrV2gmnY1BTG23lhzfa8o424Vtz6r91GBphMwY45iICDKh iUhZeXD8kA== =3UI2 -----END PGP SIGNATURE-----
--- End Message ---
