Your message dated Tue, 12 Sep 2023 18:47:19 +0000 with message-id <e1qg8pv-00eryf...@fasolo.debian.org> and subject line Bug#1050970: fixed in open-vm-tools 2:12.2.0-1+deb12u1 has caused the Debian Bug report #1050970, regarding open-vm-tools: CVE-2023-20900 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1050970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: open-vm-tools Version: 2:12.2.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for open-vm-tools. CVE-2023-20900[0]: | VMware Tools contains a SAML token signature bypass vulnerability. A | malicious actor with man-in-the-middle (MITM) network positioning | between vCenter server and the virtual machine may be able to bypass | SAML token signature verification, to perform VMware Tools Guest | Operations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-20900 https://www.cve.org/CVERecord?id=CVE-2023-20900 [1] https://www.openwall.com/lists/oss-security/2023/08/31/1 [2] https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: open-vm-tools Source-Version: 2:12.2.0-1+deb12u1 Done: Bernd Zeimetz <b...@debian.org> We believe that the bug you reported is fixed in the latest version of open-vm-tools, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1050...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernd Zeimetz <b...@debian.org> (supplier of updated open-vm-tools package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 06 Sep 2023 20:01:06 +0200 Source: open-vm-tools Binary: open-vm-tools open-vm-tools-containerinfo open-vm-tools-containerinfo-dbgsym open-vm-tools-dbgsym open-vm-tools-desktop open-vm-tools-desktop-dbgsym open-vm-tools-dev open-vm-tools-salt-minion open-vm-tools-sdmp open-vm-tools-sdmp-dbgsym Architecture: source amd64 Version: 2:12.2.0-1+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Bernd Zeimetz <b...@debian.org> Changed-By: Bernd Zeimetz <b...@debian.org> Description: open-vm-tools - Open VMware Tools for virtual machines hosted on VMware (CLI) open-vm-tools-containerinfo - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu open-vm-tools-desktop - Open VMware Tools for virtual machines hosted on VMware (GUI) open-vm-tools-dev - Open VMware Tools for virtual machines hosted on VMware (developm open-vm-tools-salt-minion - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu open-vm-tools-sdmp - Open VMware Tools for VMs hosted on VMware (Service Discovery Plu Closes: 1050970 Changes: open-vm-tools (2:12.2.0-1+deb12u1) bookworm-security; urgency=medium . * [3812674] Fixing CVE-2023-20867, CVE-2023-20900 - Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867) A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. - SAML token signature bypass vulnerability (CVE-2023-20900) A malicious actor with man-in-the-middle (MITM) network positioning between vCenter server and the virtual machine may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations. (Closes: #1050970) * [fb0ab84] Updating gitlab CI and GBP to build in bookworm Checksums-Sha1: a2f8437766cff2f597ecf4c49eb2eaf23011e86b 2969 open-vm-tools_12.2.0-1+deb12u1.dsc 723692c71ad95322ea0d7ca3dab76e888bbe052d 1801276 open-vm-tools_12.2.0.orig.tar.xz cbd9d85920d306554d937ef04b1858a7dc01447e 36212 open-vm-tools_12.2.0-1+deb12u1.debian.tar.xz 4b1490469b12bcf35ec32665bd778ae260c5c5e4 3188304 open-vm-tools-containerinfo-dbgsym_12.2.0-1+deb12u1_amd64.deb 675933e7199f8a4a6925fcce09658eac48b4e546 170120 open-vm-tools-containerinfo_12.2.0-1+deb12u1_amd64.deb d90b9fed5119df359e41344261c0cca6a0ec9021 2735972 open-vm-tools-dbgsym_12.2.0-1+deb12u1_amd64.deb 2e907d2d7c2ed88d269a00e587d24eb65e9b0384 1552080 open-vm-tools-desktop-dbgsym_12.2.0-1+deb12u1_amd64.deb e0aaf0c0e8b2b42c14d24bae63312796eb751501 151636 open-vm-tools-desktop_12.2.0-1+deb12u1_amd64.deb 7808ab4c5fb6c52e67484509c79292f6bf3110f2 509764 open-vm-tools-dev_12.2.0-1+deb12u1_amd64.deb be545eb25c9bd9880c39e10f8b23409815d274e4 26632 open-vm-tools-salt-minion_12.2.0-1+deb12u1_amd64.deb 5bde11f939104f5e2505a07d97e4f938cdaf66f9 23684 open-vm-tools-sdmp-dbgsym_12.2.0-1+deb12u1_amd64.deb b39ce5741381cac764bcb2d252789938f210ac1c 24752 open-vm-tools-sdmp_12.2.0-1+deb12u1_amd64.deb bac665ad9f9833d95fd5c70547a40c9e1d5b18c2 25039 open-vm-tools_12.2.0-1+deb12u1_amd64.buildinfo d6c3c5044e8d6f72659e8792ee36bccbd90e1ea2 685748 open-vm-tools_12.2.0-1+deb12u1_amd64.deb Checksums-Sha256: 9e01b022bbbeb65c93633b77ad096e7607d80b38a13643fa8b0efc5e55c38881 2969 open-vm-tools_12.2.0-1+deb12u1.dsc 5fe62c535812358031c8157727803601885ffb82b3d41032c80415fbaa576ec5 1801276 open-vm-tools_12.2.0.orig.tar.xz 3e9f7b69e8b16d13896615f05375825eb8ee258db51496e2b4aaf7383fda2e88 36212 open-vm-tools_12.2.0-1+deb12u1.debian.tar.xz 02cf7418ddc9b4f045696bb283c074590bc2eef07b7cf03873a99753d492b7c6 3188304 open-vm-tools-containerinfo-dbgsym_12.2.0-1+deb12u1_amd64.deb 434f07401221dc68adb7ec2508e935e3a8e0a5e189a5a184ba967a8652ccb7fb 170120 open-vm-tools-containerinfo_12.2.0-1+deb12u1_amd64.deb 159c719bef72fec5a25c3d13254c9143079d1cbc3be488a0d0849895d0f020af 2735972 open-vm-tools-dbgsym_12.2.0-1+deb12u1_amd64.deb ca67244e7582996935bdd007cc2f72da4b8632ee851caa6f918b207e87de09f9 1552080 open-vm-tools-desktop-dbgsym_12.2.0-1+deb12u1_amd64.deb 40148fc2ac55ee68f46d254fa347119dd7809c41b987490705d1e438c2a88cd6 151636 open-vm-tools-desktop_12.2.0-1+deb12u1_amd64.deb ed296edbecc2c4520079ab1fadb8c070c92256627eb0aa2f6705ab5a4e43dec6 509764 open-vm-tools-dev_12.2.0-1+deb12u1_amd64.deb 843f83deeef1a0886b515edacaaf43ed485b00ac38a1da966762442d0cc1d45a 26632 open-vm-tools-salt-minion_12.2.0-1+deb12u1_amd64.deb 5edb9a880cbcb4cc390598bc94c04755917aa301cb574385eacc0c78802cd940 23684 open-vm-tools-sdmp-dbgsym_12.2.0-1+deb12u1_amd64.deb 30ec8ebdfbc16b28bad0ec76d3a7a90d53007eb940d5adcb2768dcbc7bf8b47c 24752 open-vm-tools-sdmp_12.2.0-1+deb12u1_amd64.deb f29a916bc575e4d0acdd81432c3dc9446e30c87e32de05c93ae11257d3f35813 25039 open-vm-tools_12.2.0-1+deb12u1_amd64.buildinfo 71bbe9f7d49ddbef91d842bea243862a7b9870f623cbbf1c4de93c58584bdcd8 685748 open-vm-tools_12.2.0-1+deb12u1_amd64.deb Files: d1165e31f16bea9e17be96b8b23ed882 2969 admin optional open-vm-tools_12.2.0-1+deb12u1.dsc ae95b00298a92b1f5c64873bd06c98e4 1801276 admin optional open-vm-tools_12.2.0.orig.tar.xz 7a20b7cff35d64b27e99dc4a72e449c5 36212 admin optional open-vm-tools_12.2.0-1+deb12u1.debian.tar.xz 4daf2c0a2b527fab37fbea676b782d22 3188304 debug optional open-vm-tools-containerinfo-dbgsym_12.2.0-1+deb12u1_amd64.deb ddcb43ddfd923b5cd2b7214259686c64 170120 admin optional open-vm-tools-containerinfo_12.2.0-1+deb12u1_amd64.deb cd8a16989c9a91a5d75488d672a97a15 2735972 debug optional open-vm-tools-dbgsym_12.2.0-1+deb12u1_amd64.deb af555e6900a25faf1a9c1d385d9eb606 1552080 debug optional open-vm-tools-desktop-dbgsym_12.2.0-1+deb12u1_amd64.deb cdd187496da857de7216448c4a09c0c6 151636 admin optional open-vm-tools-desktop_12.2.0-1+deb12u1_amd64.deb 11174b13cad1c3e9f1a4fa2b03247d10 509764 devel optional open-vm-tools-dev_12.2.0-1+deb12u1_amd64.deb 40c0026c1472dce8455697e2919c6c11 26632 admin optional open-vm-tools-salt-minion_12.2.0-1+deb12u1_amd64.deb 240414ebb3a297b888cee4272926f2ee 23684 debug optional open-vm-tools-sdmp-dbgsym_12.2.0-1+deb12u1_amd64.deb 775339e7186488fb9cfa63dfd98a411c 24752 admin optional open-vm-tools-sdmp_12.2.0-1+deb12u1_amd64.deb ec6bb8bac23c1235111cdf8c312db994 25039 admin optional open-vm-tools_12.2.0-1+deb12u1_amd64.buildinfo 01adb657fa82ee48639f68d075b85596 685748 admin optional open-vm-tools_12.2.0-1+deb12u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmT58asQHGJ6ZWRAZGVi aWFuLm9yZwAKCRDrNhcab/lDX24gEAC2F0hSOQNdDXX4tgPh+KNn5Q5a/qBwVPDn gCpPQzlLuroQPMSHomACHZUI21vvdyGD3G6BbGOb4Fb8llaBcr1IuAD6YodAlM9s 7xTEm1/GbfFgahlRif+vQxt6rp3tS/435L05Kyk52PZgz2cMKBKmGuAB0zsNOr80 MUx0K3OK8pQOFwZEILFwQOkT1XrpSHQK+XaTmqAobEBaz3pMrY9Bjdff//toV6hz Jjkg7KkPkfepRIjhioqXprwwMmt86Er0gSKm8CiCbCxq+iVdobvIkpBRKvtqjfJv cm/Hk89PH7dY7Ls9QPFLxyoZAG4g85h07jLWSDtn1lQpgDqqbvDps8iL6uAI1/R4 8qf1nDoOIGdkEgOePXU6BdzeNchBDexR6/vYNK067uNNAYI8LcX/BOiO/kTw0FYw aX2LBypWm2WlxMkuRtbTfpiY2J9UieeJDk0X+PyGzTL0oShwBhfNFVWrXrTTsHdE USsU7PdGSXPXvFI9MmIqWizGK0yg+TwXSr/3crIf8zSUviNHykzU5BocXxH6GtHa BELsEQeUa3x2hZw/LZ3+X/4BPVHcRQ93+EYptWGQsBZVIc3XWmNmHpBFX+3TZIa5 7C+LJs1GIKiVNyxqu5noBTlmFfaAik4GCCykNZuatXkem1YgzGgECqCR8Tje5D2v 5gHSrvZDbw== =i+Fs -----END PGP SIGNATURE-----
--- End Message ---
