open-vm-tools update to last version (12.1)

Issues related to applications and software problems
Post Reply
Xav
Posts: 1
Joined: 2022/09/07 05:43:08

open-vm-tools update to last version (12.1)

Post by Xav » 2022/09/07 07:31:15

The last available version of vmware tools on centos 7 repo is open-vm-tools-11.0.5-3.el7.x86_64.rpm

This version is vulnerable to CVE-2022-31676 and should be update to 12.1.0.

Most of the operating system vendors published version 12.1 but I can't find it for CentOS7.

Am I missing a repo or should I wait more time to see if an update version is published ?

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: open-vm-tools update to last version (12.1)

Post by tunk » 2022/09/07 09:53:27

It's fixed for RHEL 8+9, so maybe you could wait a day or two and see
if 7 will be updated? (And then wait a few days for a CentOS 7 package.)
https://access.redhat.com/security/cve/cve-2022-31676

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: open-vm-tools update to last version (12.1)

Post by TrevorH » 2022/09/07 10:30:07

It only came out yesterday!

Edit: actually I was wrong. It only came out yesterday for RHEL 8 - it's not out at all for 7 yet.

https://access.redhat.com/security/cve/CVE-2022-31676
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: open-vm-tools update to last version (12.1)

Post by toracat » 2022/09/07 17:05:48

It's out for RHEL 7 now.
CentOS Forum FAQ

hidepp
Posts: 1
Joined: 2022/09/12 12:47:19

Re: open-vm-tools update to last version (12.1)

Post by hidepp » 2022/09/12 12:49:55

...yet they're still not available on CentOS repositories.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: open-vm-tools update to last version (12.1)

Post by TrevorH » 2022/09/13 13:54:07

I'm told that the fixed version of this for CentOS 7 was just pushed to the mirrors.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

blitz
Posts: 1
Joined: 2022/01/26 10:08:56

Re: open-vm-tools update to last version (12.1)

Post by blitz » 2022/09/13 15:40:06

Re: CVE-2022-31676 bugfix for CentOS 7

I see open-vm-tools-11.0.5-3.el7_9.3.x86_64.rpm was released today to http://mirror.centos.org/centos-7/7/upd ... /Packages/
i.e., 2022-09-13 10:39 as documented therein [ TZ unknown ]. That is obviously a different version of open-vm-tools 12.1 which was mentioned at the top of the present thread. Same story for latest version http://mirror.centos.org/centos-7/7.9.2 ... /Packages/.

Based on the changelog at https://centos.pkgs.org/7/centos-update ... 4.rpm.html, it seems like the version released today does not contain a fix for https://access.redhat.com/security/cve/CVE-2022-31676.

I see https://centos.pkgs.org/8-stream/centos ... 4.rpm.html released for version 8 (eight) and the changelog for that says 2022-06-07 - [redacted] - 12.0.5-1 - Rebase to open-vm-tools 12.0.5 [bz#2090273] - Resolves: bz#2090273. I looked for bz#2090273 at https://bugs.centos.org/view_all_bug_page.php to try to confirm this is the fix for CVE-2022-31676 but it seems pretty likely that is the CentOS 8 fix. This is also a different minor version (12.0) from that at the top of the present thread (12.1).

I imagine a v12.0.5-1 package for CentOS 7 will be published or I'd be grateful if someone could correct me herein. Assuming that is published at some point, it would be helpful to know how to verify that it contains a fix for CVE-2022-31676 - perhaps https://bugs.centos.org is not the correct place to find the above Bugzilla reference (bz#2090273)?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: open-vm-tools update to last version (12.1)

Post by TrevorH » 2022/09/13 17:08:55

I see open-vm-tools-11.0.5-3.el7_9.3.x86_64.rpm was released today
Where do you see that? That package is from 2020. The fixed version is 11.0.5-3.el7_9.4. The first lihnes of the changelog are

Code: Select all

[root@centos7 ~]# repoquery -q --changelog open-vm-tools
* Fri Sep 02 2022 Jon Maloy <jmaloy@redhat.com> - 11.0.5-3.el7_9.4
- ovt-Properly-check-authorization-on-incoming-guestOps-re.patch [bz#2119310]
- Resolves: bz#2119310
  (CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual machine [rhel-7.9.z])
Edit: oh, and bugzilla is bugzilla.redhat.com not bugs.centos.org
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply