This document tracks the release of the monthly patches to the Photon Operating System bundled in the VMware vCenter Server Appliance.

You can download the deliverables from the VMware Patch Download Center.

IMPORTANT: vCenter Server Appliance 6.5 builds have been removed as of November 14, 2017 due to a deployment-impacting issue. This issue does not impact Windows installed vCenter Servers. To resolve this issue, you must upgrade to vCenter Server Appliance 6.5 Update 1c or later. For more information, see KB 51124.

Installation Steps

To apply the Photon OS security patches to the vCenter Server Appliance, you can use one of the methods.

Deploy a new vCenter Server Appliance by using either the GUI or the CLI installer. For information about doing a fresh install of the vCenter Server Appliance, see Deploying the vCenter Server Appliance and Platform Services Controller Appliance.

Upgrade to the version of the vCenter Server Appliance containing the latest Photon OS security patches by using either the GUI or the CLI installer. For information about upgrading the vCenter Server Appliance, see Upgrading the vCenter Server Appliance and Platform Services Controller Appliance.

Patch the appliance either by using the appliance shell or the Appliance Management Interface. IMPORTANT : You can update the vCenter Server Appliance with Photon OS patches released within one and the same Update release. If you try to update the vCenter Server Appliance directly from an unsupported base version of 6.5 to the current Photon OS patch version, by using the vCenter Server Appliance Management Interface, the process fails. This is expected, but the error message that you see is a generic one. To see the correct error message, check the log files. This means if you have updated to a version that is released right after vSphere 6.5 Update 2, you cannot directly apply a Photon OS patch that is released after vSphere 6.5 Update 3. You must first update the vCenter Server Appliance to version 6.5 Update 3 and then apply the selected Photon OS patch to the appliance. For information on patching the vCenter Server Appliance, see Patching the vCenter Server Appliance.

Perform a file-based backup and restore where in the restore process you deploy a new appliance containing the latest Photon OS security patches.. For information performing a file-based backup and restore of the vCenter Server Appliance, see File-Based Backup and Restore of vCenter Server Appliance.

Migrate a vCenter Server on Windows instance to a version of the vCenter Server Appliance containing the latest Photon OS security patches. For information about performing a migration of vCenter Server on Windows to vCenter Server Appliance, see Migrating vCenter Server for Windows to vCenter Server Appliance.

Upgrade Notes

Upgrade from vCenter Server 6.5 Update 3f to 6.7 Update 3 is not supported.

Important: Upgrades and migrations from vCenter Server 6.5 Update 3k to vCenter Server 6.7 Update 3i and vCenter Server 7.0.0c are not supported. For more information on vCenter Server supported upgrade and migration paths, please refer to VMware knowledge base article 67077.

vCenter Server Appliance Photon OS Security Patches

vSphere 6.5 Update 1

Release Date Build Number Patch Name Affected Package New Package Versions CVEs Addressed 21 September 2017 6671409 6.5 U1a

(Security fixes for Photon OS) httpd 2.4.27-1 CVE-2017-3167

CVE-2017-9788

CVE-2017-9789 pycrypto 2.7a1-3 CVE-2013-7459 linux 4.4.79-1 CVE-2017-11176

CVE-2017-11473

CVE-2017-7541 ncurses 6.0-5 CVE-2017-10684

CVE-2017-10685 26 October 2017 6816762 6.5 U1b

(Security fixes for Photon OS are listed here. For details on other fixes, click here) ruby 2.4.0-5 CVE-2017-9224

CVE-2017-9225

CVE-2017-9227

CVE-2017-9228

CVE-2017-9229 rsyslog 8.15.0-6 CVE-2017-12588 linux 4.4.82-1 CVE-2017-1000112

CVE-2017-7533

CVE-2017-7542

CVE-2017-10911 shadow 4.2.1-11 CVE-2017-12424 19 December 2017 7312210 6.5 U1d

(Security fixes for Photon OS are listed here. This release also addresses all relevant moderate security issues in Photon OS before PHSA-2017-0037. For details on other fixes, click here) linux 4.4.88-1 CVE-2017-11600

CVE-2017-14340 dnsmasq 2.76-2 CVE-2017-14491

CVE-2017-14492

CVE-2017-14493

CVE-2017-14494

CVE-2017-14495

CVE-2017-14496 perl 5.22.1-5 CVE-2017-12883

CVE-2017-12837 ruby 2.4.2-1 CVE-2017-0898 15 February 2018 7801515 6.5 U1f (Security fixes for Photon OS) linux 4.4.110-2 CVE-2017-11472 CVE-2017-12154 CVE-2017-15265 CVE-2017-15649 CVE-2017-15951 CVE-2017-15115 CVE-2017-5753 CVE-2017-5754 CVE-2017-8824 CVE-2017-17448 CVE-2017-17450 CVE-2017-16939 libgcrypt 1.7.6-3 CVE-2017-0379 c-ares 1.12.0-2 CVE-2017-1000381 ncurses 6.0-8 CVE-2017-13728 CVE-2017-16879 libtasn1 4.12-1 CVE-2017-10790 wget 1.18-3 CVE-2017-13090 CVE-2017-13089 procmail 3.22-4 CVE-2017-16844 rsync 3.1.2-4 CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 apr 1.5.2-7 CVE-2017-12613 20 March 2018 8024368 6.5 U1g (Security fixes for Photon OS are listed here. For details on other fixes, click here) linux 4.4.115-1 CVE-2018-5344 libtasn1 4.13-1 CVE-2018-6003 dnsmasq 2.76-5 CVE-2017-15107

vSphere 6.5 Update 2

Release Date Build Number Patch Name Affected Package New Package Versions CVEs Addressed 3 May 2018 8307201 6.5 U2 (Security fixes for Photon OS are listed here. This release also addresses all relevant moderate security issues in Photon OS before PHSA-2018-1.0-0109. For details on other fixes, click here) glibc 2.22-18 CVE-2017-15670 CVE-2017-15804 CVE-2015-5180 CVE-2016-5417 CVE-2017-16997 tdnf 1.1.0-3 CVE-2017-7501 curl 7.58.0-1 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-8818 ruby 2.4.3-2 CVE-2017-17405 CVE-2017-17790 python2 2.7.13-4 CVE-2017-1000158 python-rpm 4.13.0.1-4 CVE-2017-7501 rpm 4.13.0.1-4 CVE-2017-7501 krb5 1.16-1 CVE-2017-11462 CVE-2017-15088 31 May 2018 8667236 6.5 U2a (Security fixes for Photon OS) systemd 228-45 CVE-2017-18078 nettle 3.3-1 CVE-2016-6489 patch 2.7.5-3 CVE-2018-6951 httpd 2.4.33-1 CVE-2018-1303 CVE-2017-15715 CVE-2017-15710 CVE-2018-1301 CVE-2018-1302 librelp 1.2.9-3 CVE-2018-1000140 linux 4.4.131-2 CVE-2018-1000026 CVE-2018-8822 CVE-2018-7757 CVE-2018-1094 CVE-2018-1092 CVE-2017-18255 CVE-2018-8897 rsync 3.1.3-1 CVE-2018-5764 28 June 2018 8815520 6.5 U2b Security fixes for Photon OS are listed here. For details on other fixes, click here) patch 2.7.5-4 CVE-2018-6951 CVE-2018-1000156 unzip 6.0-9 CVE-2018-1000035 29 November 2018 10964411 6.5 U2d (Security fixes for Photon OS are listed here. For details on other fixes, click here) linux 4.4.157-1 CVE-2018-10879 CVE-2018-13053 curl 7.59.0-3 CVE-2018-0500 python3 3.5.5-2 CVE-2018-1060 CVE-2018-1061 patch 2.7.5-5 CVE-2018-6952 ncurses 6.0-9 CVE-2018-10754 libmspack 0.5alpha-4 CVE-2017-6419 pcre 8.41-2 CVE-2017-11164 procps-ng 3.3.15-1 CVE-2018-1126 20 December 2018 11347054 6.5 U2e (Security fixes for Photon OS) rpm 4.13.0.2-1 CVE-2017-7500 elfutils 0.169-2 CVE-2018-16402 libxml2 2.9.8-2 CVE-2018-14404 systemd 228-48 CVE-2018-15688 21 March 2019 12863991 6.5 U2f (Security fixes for photon OS) systemd 228-49 CVE-2018-15686 libtirpc 1.0.1-5 CVE-2018-14621 30 May 2019 13834586 6.5 U2h (Security fixes for photon OS) systemd 228-52 CVE-2018-6954 linux 4.4.177-1 CVE-2019-7221 libxslt 1.1.29-5 CVE-2019-11068 gnutls 3.5.15-4 CVE-2019-3829

vSphere 6.5 Update 3

Release Date Build Number Patch Name Affected Package New Package Versions CVEs Addressed 2 July 2019 14020092 6.5 U3 (Security fixes for Photon OS are listed here. For details on other fixes, click here) Fuse 2.9.5-3 CVE-2018-10906 Curl 7.59.0-7 CVE-2018-14618 CVE-2018-16839 paramiko 1.17.6-2 CVE-2018-1000805 linux 4.4.177-1 4.4.182-1 CVE-2018-19824 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 systemd 228-52 CVE-2018-16865 CVE-2018-16864 perl 5.24.1-4 CVE-2018-18313 CVE-2018-18311 CVE-2018-18312 CVE-2018-18314 python3 3.5.6-4 CVE-2018-20406 rsyslog 8.15.0-9 CVE-2018-16881 PyYAML 3.12-3 CVE-2017-18342 python- requests 2.9.1.2 CVE-2018-18074 python2 2.7.15-5 CVE-2018-14647 CVE-2019-9948 CVE-2019-9636 glibc 2.22-26 CVE-2019-9169 pycrypto 2.6.1-5 CVE-2018-6594 glib 2.47.6-3 CVE-2018-16428 CVE-2018-16429 ruby 2.5.3-1 CVE-2018-16395 CVE-2018-16396 httpd 2.4.39 CVE-2018-11763 25 July 2019 14156547 6.5 U3a (Security fixes for Photon OS) wget 1.20.3-1 CVE-2019-5953 CVE-2018-20483 27 August 2019 14389939 6.5 U3b (Security fixes for Photon OS) bzip2 1.0.6-7 CVE-2019-12900 24 September 2019 14690228 6.5 U3c (Security fixes for Photon OS) unzip 6.0-11 CVE-2019-13232 libxslt 1.1.29-6 CVE-2019-13117 CVE-2019-13118 libmspack 0.7.1 alpha-2 CVE-2018-14682 CVE-2018-14681 expat 2.2.4-2 CVE-2018-20843 patch 2.7.5-6 CVE-2019-13638 linux 4.4.189-1 CVE-2019-11487 CVE-2018-20856 24 October 2019 14836121 6.5 U3d (Security fixes for Photon OS are listed here. For details on other fixes, click here) linux 4.4.191-1 CVE-2019-15902 CVE-2016-10905 CVE-2019-10638 26 November 2019 15127636 6.5 U3e (Security fixes for Photon OS) sudo 1.8.20p2-2 CVE-2019-14287 bash 4.3.48-4 CVE-2012-6711 19 December 2019 15259038 6.5 U3f (Security fixes for Photon OS are listed here. For details on other fixes, click here) sqlite-autoconf 3.27.2-3 CVE-2019-8457 CVE-2019-9937 CVE-2019-9936 linux 4.4.193-1 CVE-2019-14835 systemd 228-56 CVE-2019-3842 glib 2.58.3-1 CVE-2019-12450 CVE-2019-13012 curl 7.59.0-8 CVE-2019-5436 vim 7.4-12 CVE-2019-12735 python3 3.5.6-10 CVE-2019-10160 postgresql 9.6.14-1 CVE-2019-10164 python2 2.7.15-10 CVE-2019-16056 gettext 0.19.5.1-6 CVE-2018-18751 tar 1.29-4 CVE-2019-9923 CVE-2016-6321 30 January 2020 15505374 6.5 U3g (Security fixes for Photon OS) dhcp 4.3.5-5 CVE-2018-5732 libxslt 1.1.29-7 CVE-2019-18197 tcpdump 4.9.3-1 CVE-2018-16227 CVE-2018-14466 CVE-2018-14462 CVE-2018-14469 CVE-2018-10103 CVE-2018-14882 CVE-2018-14463 CVE-2019-15166 CVE-2018-14461 CVE-2018-10105 CVE-2018-14879 CVE-2018-16301 CVE-2018-14470 CVE-2018-16451 CVE-2018-14467 CVE-2018-14881 CVE-2018-16229 CVE-2018-16228 CVE-2018-16230 CVE-2018-14880 CVE-2018-14465 CVE-2018-14468 CVE-2018-14464 CVE-2018-16300 CVE-2018-16452 27 February 2020 15679215 6.5 U3h (Security fixes for Photon OS) libxslt 1.1.29-8 CVE-2019-5815 systat 12.2.0-1 CVE-2019-19725 26 March 2020 15808842 6.5 U3i (Security fixes for Photon OS) libsolv 0.6.19-7 CVE-2019-20387 xerces-c 3.2.2-1 CVE-2018-1311 libxml2 2.9.10-2 CVE-2020-7595 CVE-2019-19956 CVE-2019-20388 cpio 2.12-3 CVE-2019-14866 28 May 2020 16275158 6.5 U3j (Security fixes for Photon OS) unzip 6.0-12 CVE-2014-8139 CVE-2014-8141 CVE-2014-8140 gdb 7.8.2-10 CVE-2019-1010180 30 July 2020 16613358 6.5 U3k (Security fixes for Photon OS are listed here. For details on other fixes, click here) file 5.38-1 CVE-2019-18218 CVE-2019-8904 python2 2.7.15-16 CVE-2019-5010 CVE-2019-17514 CVE-2020-8492 linux 4.4.221-3 CVE-2019-19066 CVE-2019-16233 CVE-2020-11565 CVE-2020-11668 CVE-2019-19319 CVE-2020-12464 PyYAML 3.12-5 CVE-2019-20477 CVE-2020-1747 ruby 2.5.8-1 CVE-2020-10663 CVE-2020-10933 bash 4.3.48-5 CVE-2019-18276 ncurses 6.0-10 CVE-2019-17594 cyrus-sasl 2.1.26-12 CVE-2019-19906 bindutils 9.15.6-1 CVE-2019-6470 sqlite-autoconf 3.31.1-3 CVE-2020-11655 httpd 2.4.43-1 CVE-2020-1934 systemd 228-59 CVE-2019-20386 CVE-2020-13776 ntp 4.2.8p14-1 CVE-2020-11868 openldap 2.4.43-4 CVE-2020-12243 vim 7.4-13 CVE-2019-20807 python3 3.5.6-13 CVE-2019-17514 libpcap 1.9.1-1 CVE-2019-15163 perl 5.24.1-6 CVE-2020-10878 25 August 2020 16764584 6.5 U3l (Security fixes for Photon OS) atftp 0.7.1-9 CVE-2019-11365 CVE-2019-11366

The above listed patches are cumulative. The content of the latest patch will accumulate the content from prior patches as well.