Hi everyone, The new Vagrant VMware Desktop plugin has been released today. This plugin resolves a number of security vulnerabilities present in the Vagrant VMware Fusion and Vagrant VMware Workstation plugins. Updating to the new plugin is highly recommended. The Vagrant VMware Desktop plugin supports licenses used for the Vagrant VMware Workstation and Vagrant VMware Fusion plugins, so existing users can update without needing to modify their existing licenses.
The Vagrant VMware Desktop plugin includes fixes for a root privilege escalation vulnerability which could be used by a malicious Vagrantfile or previously installed malware. The issues were first reported to HashiCorp in late 2017 and led to the full restructuring and unification of the plugin. The unified plugin now includes an isolated process which handles all privileged operations and is installed via system installers to ensure the safety of the installation process. This extraction of privileged operations from the Vagrant plugin also removes the requirement for users to be able to escalate their privileges to install or use the plugin. I want to extend my thanks to the researcher who discovered and reported the vulnerabilities, and allowed us time to release an update before disclosing them. My apologies for how long the release has taken. For installation instructions, please refer to the VMware provider documentation page: https://www.vagrantup.com/docs/vmware/installation.html If you have any problems updating to the new Vagrant VMware Desktop plugin, please send an email to [email protected]. Cheers! - Chris Roberts -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/vagrant/issues IRC: #vagrant on Freenode --- You received this message because you are subscribed to the Google Groups "Vagrant" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/91ece083-dbd3-496c-93f9-a8bbb63f12a1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
