VMware Server 歷史舊版本 Page1

更新時間：2009-10-31
更新細節：

What's new in this version:

Security Fixes:
- New: Exception handling privilege escalation on Guest Operating System This release addresses a security vulnerability in exception handling. Improper setting of the exception code on page faults might allow for local privilege escalation on the guest. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2267 to this issue.
- New: Directory Traversal Vulnerability on Linux-based hosts This release addresses a directory traversal vulnerability that is present on host systems and that may allow for remote retrieval of any file from the host system. In order to send a malicious request, the attacker will need to have access to the network on which the host resides. The issue is present on Linux-based hosts only, not on Windows-based hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3733 to this issue.

Miscellaneous:
- Disk Stress Test fails with data corruption error
- WLK DiskStress test fails with data corruption error on LSI Logic virtual device.
- Server 2.0.1 does not allow vmnet-bridge service to be run in the foreground
- The vmnet-bridge service has a parameter -d for putting it in daemon mode. Without using the -d parameter, the vmnet-bridge service should be able to run in the foreground. This was not working. This issue is resolved in this release.

更新時間：2009-04-03
更新細節：

更新時間：2008-09-24
更新細節：

What's new in this version:

The wait for VMware Server 2 is over and it’s better than ever! The next generation VMware Server equips you with a stable, easy-to-use hosted virtualization platform. In beta since November 2007, VMware Server 2 introduces numerous enhancements including new operating system support, 64-bit operating system support, increased virtual machine scalability, new management tools and more.

更新時間：2008-08-29
更新細節：

What's new in this version:

Server 1.0.7 addresses the following security issues:

Security Fix for VMware ISAPI Extension:
- Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product.
- One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual.
- The Common Vulnerabilities and Exposures has assigned the name CVE-2008-3697 to this issue.

Setting ActiveX killbit:
- From this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the KB article 240797 from Microsoft and the related references on this topic.
- Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of-service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user.
- Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.
- Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls.
- To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.
- The Common Vulnerabilities and Exposures has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls.

Security Fix for Local Privilege Escalation on Host System:
- This release fixes a privilege escalation vulnerability in host operating systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges.
- The Common Vulnerabilities and Exposures has assigned the name CVE-2008-3698 to this issue.

Update to Freetype:
- FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to its latest version 2.3.7.
- The Common Vulnerabilities and Exposures has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6.

更新時間：2008-05-30
更新細節：

What's new in this version:

Issues Resolved in VMware Server 1.0.6:
- Virtual machines fail unexpectedly after a Symantec virus definition update from version 213 to version 220.
bug 252341
- Previous versions of VMware Server allowed using the VIX API from the guest operating system. In VMware Server 1.0.6 this is no longer allowed by default. This feature can be enabled in VMware Server 1.0.6 by setting a new parameter in the configuration (.vmx) file: vix.inGuest.enable="TRUE"

更新時間：2008-03-17
更新細節：

What's new in this version:

Version 1.0.5 a maintenance bug fix release to address security issues. See Resolved Issues for information on what has been fixed. In addition, Version 1.0.5 improves Remote Console performance and screen refreshing.

更新時間：2007-09-29
更新細節：

What's new in this version:

Issues Resolved in VMware Server 1.0.4
- In previous releases, when a virtual machine configuration (.vmx) file contained the line serialX.HardwareFlowControl = TRUE, the modem control signals were not correctly handled. This release fixes that problem. Modem control signals are now strictly passed through between the virtual and the physical serial port.
- This release fixes a problem that caused Fedora Core 7 to fail with an ASSERT when issuing SCSI commands that have illegal targets. This problem is not clearly exploitable by a normal user.
- This release fixes a problem that could cause Linux virtual machines with VMI-enabled kernels to run very slowly after being rebooted repeatedly.
- This release fixes a problem that could cause a virtual machine to fail at power-on when using a sound card with more than two mixer channels on a Windows 32-bit host.
- This release fixes a problem that could cause a 64-bit Solaris 10 virtual machine to fail at power-on after being updated with Solaris Update Patch 125038-04.
- This release fixes a problem that resulted from a conflict between Linux guest operating systems with kernel version 2.6.21 and RTC-related processes on the host. This problem caused the virtual machine to quit unexpectedly.
- This release fixes a problem that caused the hostd to quit unexpectedly in virtual machines with a corrupted snapshot.
- This release fixes a problem that prevented virtual machines running Fedora Core 7 from properly recognizing LSILogic SCSI devices.
- This release fixes a problem that prevented the VMware vmmon module from building correctly on hosts running Linux with kernel version 2.6.20-rc1.
- This release fixes a problem that prevented the VMware vmnet module from building correctly on hosts running Linux with kernel versions higher than 2.6.21.
- This release fixes a problem that could corrupt the guest's memory on hosts running Linux with kernel versions higher than 2.6.21.
- This release fixes the following problem: when a user attempts to access a virtual machine through the Windows remote VMware Service Console, and the user does not have execute permission on the virtual machine configuration (.vmx) file, the display is blank with no indication of the actual problem. This release adds an error message in this circumstance, to advise the user that execute access is required to connect to the virtual machine with the VMware Service Console.
- This release fixes a problem with virtual machines running Red Hat Linux 7.1, kernel version 2.4.2, that caused the guest operating system to become unresponsive during the installation of VMware Tools, after the user selected the default display size.
- This release fixes a problem that prevented VMware Player from launching. This problem was accompanied by the error message VMware Player unrecoverable error: (player) Exception 0xc0000005 (access violation) has occurred. This problem could result in a security vulnerability from some images stored in virtual machines downloaded by the user.

Security Issues Resolved in VMware Server 1.0.4:
- This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4496.
- This release fixes a security vulnerability that could allow a guest operating system user without administrator privileges to cause a host process to become unresponsive or exit unexpectedly, making the guest operating system unusable. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4497.
- This release fixes several security vulnerabilities in the VMware DHCP server that could enable a malicious web page to gain system-level privileges.
- This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file IntraProcessLogging.dll to overwrite files in a system.
- This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system.
- This release fixes a security vulnerability in which VMware Server was starting registered Windows services such as the Authorization service with "bare" (unquoted) paths, such as c:program filesvmware.... Applications and services in Windows must be started with a quoted path. This vulnerability could allow a malicious user to escalate user privileges.
- This release fixes a problem that could cause user passwords to be printed in cleartext in some VMware Server logs.

更新時間：2007-05-15
更新細節：

What's new in this version:

Issues Resolved in VMware Server 1.0.3
- This release fixes a problem with VMware Tools that caused the guest to run out of memory.
- VMware Server 1.0.3 fixes a bug introduced in the VMware Server version 1.0.2 VIX API. As a result of this bug, if Vix_ReleaseHandle (vmhandle) and VixHost_Disconnect (hosthandle) are called, a crash occurs in VixHost_Disconnect(). This crash is accompanied by the following error message:

VMware Server Error:
VMware Server unrecoverable error: (app)
ASSERT /build/mts/release/bora-39867/pompeii2005/bora/lib/vmdb/vmdbCtx.c:487 bugNr=23952
A log file is available in "/tmp/vmware-mark/vix-3749.log". Please request support and include the contents of the log file.
To collect files to submit to VMware support, run vm-support.
We will respond on the basis of your support entitlement.


Security Issues Resolved in VMware Server 1.0.3
- Virtual machines can be put in various states of suspension, as specified by the ACPI power management standard. When returning from a sleep state (S2) to the run state (S0), the virtual machine process (VMX) collects information about the last recorded running state for the virtual machine. Under some circumstances, VMX read state information from an incorrect memory location. This issue could be used to complete a successful Denial-of-Service attack where the virtual machine would need to be rebooted.
- Some VMware products support storing configuration information in VMware system files. Under some circumstances, a malicious user could instruct the virtual machine process (VMX) to store malformed data, causing an error. This error could enable a successful Denial-of-Service attack on guest operating systems.
- Some VMware products managed memory in a way that failed to gracefully handle some general protection faults (GPFs) in Windows guest operating systems. A malicious user could use this vulnerability to crash Windows virtual machines. While this vulnerability could allow an attacker to crash a virtual machine, we do not believe it was possible to escalate privileges or escape virtual containment.
- In a 64-bit Windows guest on a 64-bit host, debugging local programs could create system instability. Using a debugger to step into a syscall instruction may corrupt the virtual machine's register context. This corruption produces unpredictable results including corrupted stack pointers, kernel bugchecks, or vmware-vmx process failures.

更新時間：2007-03-02
更新細節：

What's new in this version:

Issues Resolved in VMware Server 1.0.2
- This release fixes certain memory leaks in VMware Tools on Windows guests.
- The vm-support script, which collects log files and other system information, now collects the bootloader configuration file.
- This release includes improved support for Intel family F processors.
- This release includes new support for Intel Rockton processors.
- This release fixes a bug that, under rare conditions, caused a crash when many virtual machines were booting under a heavy load.
- This release includes prebuilt modules for VMware Tools for SuSE SLES 10.
- This release fixes a bug that sometimes caused an assertion failure when calling VixVM_Open on an unregistered virtual machine.
- Starting in this release, guest.commands.allowAnonRootGuestCommandsOnHost and guest.commands.allowAnonRootGuestCommands settings can no longer be included in the .vmx file. To affect all the virtual machines on the host, you can include these settings in the global configuration file $LIBDIR/settings or CommonAppDatasettings.ini.
- Kernel modules now build on 2.6.18 kernels.
- Kernel modules now build on Debian's 2.6.17 kernels.
- HGFS now builds on 2.6.18-rc1 kernels.
- This release fixes a bug that occasionally caused a crash when uninstalling VMware Server just after resuming a Windows host system.
- This release fixes a bug that occasionally crashed 64-bit Windows Server 2003 Enterprise Edition hosts with SP1.
- This release fixes a bug that occasionally caused direct execution errors in V8086 mode when running 16-bit DOS applications in a Windows guest. This fix prevents direct execution errors that are caused by the sysenter instruction being improperly handled, and thus enables DOS applications to execute properly.
- CD-ROM and DVD-ROM emulation now work correctly in Vista guests.
- Vmnet compilation now works correctly for bridged networking on 2.6.18 or higher kernels.
- This release fixes a bug that, under rare conditions, caused guest memory to become corrupted.
- Second and subsequent snapshots no longer contain the absolute path to the base .vmdk file. This fix allows the virtual machine to be moved to another machine.
- This release fixes a bug that, under rare conditions, caused a system panic with sunfire 4100 hardware on a RedHat 4 64-bit guest.
- This release fixes a bug that occasionally caused Windows guests with dual vmxnet adapters to lose network connectivity.
- This release fixes a bug that occasionally caused a core dump when opening and powering on a FreeBSD6.0 guest and invoking VMware Tools.
- VMware Server 1.0.2 now correctly uses 2-CPU licenses instead of 8-CPU licenses on quad core machines.
- This release fixes a bug that occasionally caused a hang on RedHat Enterprise Linux 3 U5 virtual machines.

Security Issues Resolved in VMware Server 1.0.2
- This release fixes a security issue that could allow a malicious user to crash Windows guest operating systems. Rubén Santamarta of Reversemode discovered a vulnerability in the way that VMware delivered General Protection Faults to Windows guest operating systems, which is now fixed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1069 to this issue.
- This release fixes a security issue with the configuration program vmware-config, which could set incorrect permissions and umask on SSL key files. Local users might have been able to obtain access to the SSL key files. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3589 to this issue. Note: The affected files include /usr/bin/vmware-config.pl and /usr/bin/vmware-config-mui.pl.
- RunProgramInGuest was being executed as SYSTEM in Windows guests. Now it executes as the user running it with that user's permissions.

更新時間：2007-02-22
更新細節：