open-vm-tools update to last version (12.1)
open-vm-tools update to last version (12.1)
The last available version of vmware tools on centos 7 repo is open-vm-tools-11.0.5-3.el7.x86_64.rpm
This version is vulnerable to CVE-2022-31676 and should be update to 12.1.0.
Most of the operating system vendors published version 12.1 but I can't find it for CentOS7.
Am I missing a repo or should I wait more time to see if an update version is published ?
This version is vulnerable to CVE-2022-31676 and should be update to 12.1.0.
Most of the operating system vendors published version 12.1 but I can't find it for CentOS7.
Am I missing a repo or should I wait more time to see if an update version is published ?
Re: open-vm-tools update to last version (12.1)
It's fixed for RHEL 8+9, so maybe you could wait a day or two and see
if 7 will be updated? (And then wait a few days for a CentOS 7 package.)
https://access.redhat.com/security/cve/cve-2022-31676
if 7 will be updated? (And then wait a few days for a CentOS 7 package.)
https://access.redhat.com/security/cve/cve-2022-31676
Re: open-vm-tools update to last version (12.1)
It only came out yesterday!
Edit: actually I was wrong. It only came out yesterday for RHEL 8 - it's not out at all for 7 yet.
https://access.redhat.com/security/cve/CVE-2022-31676
Edit: actually I was wrong. It only came out yesterday for RHEL 8 - it's not out at all for 7 yet.
https://access.redhat.com/security/cve/CVE-2022-31676
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: open-vm-tools update to last version (12.1)
...yet they're still not available on CentOS repositories.
Re: open-vm-tools update to last version (12.1)
I'm told that the fixed version of this for CentOS 7 was just pushed to the mirrors.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: open-vm-tools update to last version (12.1)
Re: CVE-2022-31676 bugfix for CentOS 7
I see open-vm-tools-11.0.5-3.el7_9.3.x86_64.rpm was released today to http://mirror.centos.org/centos-7/7/upd ... /Packages/
i.e., 2022-09-13 10:39 as documented therein [ TZ unknown ]. That is obviously a different version of open-vm-tools 12.1 which was mentioned at the top of the present thread. Same story for latest version http://mirror.centos.org/centos-7/7.9.2 ... /Packages/.
Based on the changelog at https://centos.pkgs.org/7/centos-update ... 4.rpm.html, it seems like the version released today does not contain a fix for https://access.redhat.com/security/cve/CVE-2022-31676.
I see https://centos.pkgs.org/8-stream/centos ... 4.rpm.html released for version 8 (eight) and the changelog for that says 2022-06-07 - [redacted] - 12.0.5-1 - Rebase to open-vm-tools 12.0.5 [bz#2090273] - Resolves: bz#2090273. I looked for bz#2090273 at https://bugs.centos.org/view_all_bug_page.php to try to confirm this is the fix for CVE-2022-31676 but it seems pretty likely that is the CentOS 8 fix. This is also a different minor version (12.0) from that at the top of the present thread (12.1).
I imagine a v12.0.5-1 package for CentOS 7 will be published or I'd be grateful if someone could correct me herein. Assuming that is published at some point, it would be helpful to know how to verify that it contains a fix for CVE-2022-31676 - perhaps https://bugs.centos.org is not the correct place to find the above Bugzilla reference (bz#2090273)?
I see open-vm-tools-11.0.5-3.el7_9.3.x86_64.rpm was released today to http://mirror.centos.org/centos-7/7/upd ... /Packages/
i.e., 2022-09-13 10:39 as documented therein [ TZ unknown ]. That is obviously a different version of open-vm-tools 12.1 which was mentioned at the top of the present thread. Same story for latest version http://mirror.centos.org/centos-7/7.9.2 ... /Packages/.
Based on the changelog at https://centos.pkgs.org/7/centos-update ... 4.rpm.html, it seems like the version released today does not contain a fix for https://access.redhat.com/security/cve/CVE-2022-31676.
I see https://centos.pkgs.org/8-stream/centos ... 4.rpm.html released for version 8 (eight) and the changelog for that says 2022-06-07 - [redacted] - 12.0.5-1 - Rebase to open-vm-tools 12.0.5 [bz#2090273] - Resolves: bz#2090273. I looked for bz#2090273 at https://bugs.centos.org/view_all_bug_page.php to try to confirm this is the fix for CVE-2022-31676 but it seems pretty likely that is the CentOS 8 fix. This is also a different minor version (12.0) from that at the top of the present thread (12.1).
I imagine a v12.0.5-1 package for CentOS 7 will be published or I'd be grateful if someone could correct me herein. Assuming that is published at some point, it would be helpful to know how to verify that it contains a fix for CVE-2022-31676 - perhaps https://bugs.centos.org is not the correct place to find the above Bugzilla reference (bz#2090273)?
Re: open-vm-tools update to last version (12.1)
Where do you see that? That package is from 2020. The fixed version is 11.0.5-3.el7_9.4. The first lihnes of the changelog areI see open-vm-tools-11.0.5-3.el7_9.3.x86_64.rpm was released today
Code: Select all
[root@centos7 ~]# repoquery -q --changelog open-vm-tools
* Fri Sep 02 2022 Jon Maloy <jmaloy@redhat.com> - 11.0.5-3.el7_9.4
- ovt-Properly-check-authorization-on-incoming-guestOps-re.patch [bz#2119310]
- Resolves: bz#2119310
(CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual machine [rhel-7.9.z])
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke