This site will be decommissioned on December 31st 2024. After that date content will be available at techdocs.broadcom.com.

This document tracks the release of the monthly patches to the Photon Operating System bundled in the VMware vCenter Server Appliance.

You can download the deliverables from the Product Patches page after you log in to VMware Customer Connect

Installation Steps

To apply the Photon OS security patches to the vCenter Server Appliance, you can use one of the methods.

  • Deploy a new vCenter Server Appliance by using either the GUI or the CLI installer.

    For information about doing a fresh install of the vCenter Server Appliance, see Deploying the vCenter Server Appliance and Platform Services Controller Appliance.

  • Upgrade to the version of the vCenter Server Appliance containing the latest Photon OS security patches by using either the GUI or the CLI installer.

    For information about upgrading the vCenter Server Appliance, see Upgrading the vCenter Server Appliance and Platform Services Controller Appliance.

  • Patch the appliance either by using the appliance shell or the Appliance Management Interface.

    IMPORTANT: You can update the vCenter Server Appliance with Photon OS patches released within one and the same Update release. Currently, you can patch the appliance with Photon OS patches only if you have updated the vCenter Server Appliance to 6.7 Update 3.

    If you try to update the vCenter Server Appliance directly from an unsupported base version of 6.7 to the current Photon OS patch version, by using the vCenter Server Appliance Management Interface, you see a message No applicable update found. This is expected. You must first update the vCenter Server Appliance to version 6.7 Update 3 and then apply the selected Photon OS patch to the appliance.

    For information on patching the vCenter Server Appliance, see Patching the vCenter Server Appliance.

  • Perform a file-based backup and restore where in the restore process you deploy a new appliance containing the latest Photon OS security patches.

    For information performing a file-based backup and restore of the vCenter Server Appliance, see File-Based Backup and Restore of vCenter Server Appliance.

  • Migrate a vCenter Server on Windows instance to a version of the vCenter Server Appliance containing the latest Photon OS security patches.

    For information about performing a migration of vCenter Server on Windows to vCenter Server Appliance, see Migrating vCenter Server for Windows to vCenter Server Appliance.

Upgrade Notes

Upgrades from vCenter Server 6.7 Update 1a to 6.7 Update 2a, 6.7 Update 2c, and 6.7 Update 3 are not supported. You must first upgrade to vCenter Server 6.7 Update 1b or 6.7 Update 2, and then patch your system to 6.7 Update 2a, 6.7 Update 2c, or 6.7 Update 3.

Important: Upgrades and migrations from vCenter Server 6.5 Update 3k to vCenter Server 6.7 Update 3i are not supported. For more information on vCenter Server supported upgrade and migration paths, please refer to VMware knowledge base article 67077.
For patches to VMware vCenter Server 6.7 Update 3p or later from vCenter Server Appliance Photon OS 6.7 Update 3c, 6.7 Update 3d, 6.7 Update 3e, 6.7 Update 3h, 6.7 Update 3i, 6.7 Update 3k, you must first update to VMware vCenter Server 6.7 Update 3o.

vCenter Server Appliance Photon OS Security Patches

vSphere 6.7.0 updates

Release Date

Build Number

Patch Name

Affected Package

New Package Versions

CVEs Addressed

28 June 2018 8832884 6.7.0b
(Security fixes for Photon OS are listed here. For details on other fixes, click here)
ncurses 6.0-8

CVE-2017-13728

CVE-2017-16879

wget 1.18-3

CVE-2017-13090

CVE-2017-13089

httpd 2.4.33-1

CVE-2018-1303

CVE-2017-15715

CVE-2017-15710

CVE-2018-1301

CVE-2018-1302

librelp 1.2.9-3

CVE-2018-1000140

ruby 2.4.4-1

CVE-2017-0898

rsync 3.1.3-1

CVE-2018-5764

procmail 3.22-4

CVE-2017-16844

shadow 4.2.1-12

CVE-2017-12424

libgcrypt 1.7.6-3

CVE-2017-0379

dnsmasq 2.76-5

CVE-2017-15107

vSphere 6.7 Update 1

Release Date

Build Number

Patch Name

Affected Package

New Package Versions

CVEs Addressed

16 October 2018 10244745

 6.7 U1

(Security fixes for Photon OS are listed  here. For details on other fixes, click here)

procps-ng 3.3.15-1

CVE-2018-1126

CVE-2018-1122

CVE-2018-1125

CVE-2018-1124

CVE-2018-1123

linux

4.4.152-1

CVE-2018-3620

pcre 8.41-2

CVE-2017-11164

ntp 4.2.8p11-1

CVE-2018-7183

CVE-2018-7182

CVE-2018-7184

CVE-2018-7185

ncurses 6.0-9

  CVE-2018-10754

curl 7.59.0-2

CVE-2018-1000300

CVE-2018-1000301

paramiko 1.17.6-1

CVE-2018-7750

glibc 2.22-21

CVE-2018-11236

libmspack 0.5alpha-3

CVE-2017-6419

xerces-c 3.2.1-1

CVE-2017-12627

20 December 2018 11338176

6.7 U1a

(Security fixes for Photon OS)

rpm 4.13.0.2-1

CVE-2017-7500

elfutils 0.169-2

CVE-2018-16402

libxml2 2.9.8-2

CVE-2018-14404

systemd 228-48

CVE-2018-15688

httpd 2.4.34-1

 CVE-2018-1333

linux 4.4.161-1

CVE-2018-13053

patch 2.7.5-5

CVE-2018-6952

vSphere 6.7 Update 2

 

Release Date

Build Number

Patch Name

Affected Package

New Package Versions

CVEs Addressed

11 April 2019 13010631

 

6.7 U2

(Security fixes for Photon OS are listed  here. For details on other fixes, click here)

systemd 228-50

CVE-2018-16865

CVE-2018-16864

linux

4.4.171-1

CVE-2018-19824

ruby

rubygem-libxml-ruby

2.5.3-1

3.0.0-3

CVE-2018-16395

CVE-2018-16396

paramiko 1.17.6-2

CVE-2018-1000805

fuse 2.9.5-3

CVE-2018-10906

python2 2.7.15-3

CVE-2018-14647

curl 7.59.0-5

CVE-2018-14618

CVE-2018-16839

apache-tomcat 8.5.35-1

CVE-2018-8037

libmspack 0.5alpha-5

CVE-2018-14679

CVE-2018-14680

libgcrypt 1.7.6-4

CVE-2018-0495

krb5

1.16-2 CVE-2018-5730

shadow

4.2.1-13 CVE-2018-7169

file

5.24-3 CVE-2018-10360
postgresql 9.6.10-1

CVE-2018-10925

 CVE-2018-10915

libtirpc

1.0.1-5 CVE-2018-14621

glibc

2.22-22 CVE-2017-15671
pkg-config 0.28-3

CVE-2018-16428 

CVE-2018-16429

30 May 2019 13843380

6.7 U2b

(Security fixes for Photon OS)

systemd

228-52 CVE-2018-6954

linux

4.4.177-1 CVE-2019-7221

libxslt

1.1.29-5 CVE-2019-11068

gnutls

3.5.15-4 CVE-2019-3829
16 July 2019  14070457

6.7 U2c

(Security fixes for Photon OS are listed  here. For details on other fixes, click here)

httpd 2.4.39-1

CVE-2018-17199

CVE-2019-0190

CVE-2019-0217

CVE-2019-0211

CVE-2019-0215

wget 1.20.3-1

CVE-2019-5953

CVE-2018-20483

linux

4.4.182-1

CVE-2019-11477

CVE-2019-11478

CVE-2019-11479

vSphere 6.7 Update 3

Release Date

Build Number

Patch Name

Affected Package

New Package Versions

CVEs Addressed

     20 August 2019

    14367737

 6.7 U3

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

        perl

  5.24.1-2

    CVE-2018-12015

     openssl

  1.0.2o-3

     CVE-2018-0732

        glib

  2.47.6-3

    CVE-2018-16429

     python2

  2.7.15-5

    CVE-2019-9948

     PyYAML

   3.12-3

    CVE-2017-18342

      python-           requests

  2.13.0-2

    CVE-2018-18074

      gettext

 0.19.5.1-4

    CVE-2018-18751

       sqlite -            autoconf

 3.27.2-1

     CVE-2019-9936

     systemd

 228-53

     CVE-2019-3842

          tar

1.29-2

     CVE-2019-9923

linux

4.4.182-1

CVE-2019-11477

 CVE-2019-12456

 24 October 2019

    14836122

6.7 U3a

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

bzip2

1.0.6-7

 CVE-2019-12900

patch

2.7.5-6

 CVE-2019-13638

expat

2.2.4-2

 CVE-2018-20843

 libmspack

 0.7.1alpha-2

 CVE-2018-14682

 CVE-2018-14681

linux

  4.4.191-1

  CVE-2019-15902

  CVE-2016-10905

  CVE-2019-10638

 unzip

6.0-11

   CVE-2019-13232

 libxslt

1.1.29-6

   CVE-2019-13117

   CVE-2019-13118

05 December 2019

15132721

6.7 U3b

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

 

bash

 

4.3.48-4

CVE-2012-6711

 

sqlite-autoconf

 

3.27.2-2

CVE-2019-9937

 

linux

 

4.4.180-1

CVE-2019-11810

CVE-2018-20836

CVE-2019-11815

CVE-2019-11190

 

glib

 

2.58.3-1

CVE-2019-13012

 

curl

 

7.59.0-8

CVE-2019-5436

 

vim

 

7.4-12

CVE-2019-12735

 

python3

 

3.5.6-7

CVE-2019-10160

 

postgresql

 

9.6.14-1

CVE-2019-10164

 

sudo

 

1.8.20p2-2

CVE-2019-14287

30 January 2020

15505668

6.7 U3c

(Security fixes for Photon OS)

dhcp

4.3.5-5

CVE-2018-5732

libxslt

1.1.29-7

 CVE-2019-18197

tcpdump

4.9.3-1

CVE-2018-16227

CVE-2018-14466

 CVE-2018-14462

CVE-2018-14469

CVE-2018-10103

CVE-2018-14882

 CVE-2018-14463

CVE-2019-15166

CVE-2018-14461

CVE-2018-10105

CVE-2018-14879

CVE-2018-16301

CVE-2018-14470

 CVE-2018-16451

CVE-2018-14467

 CVE-2018-14881

 CVE-2018-16229

 CVE-2018-16228

 CVE-2018-16230

CVE-2018-14880

CVE-2018-14465 

CVE-2018-14468

CVE-2018-14464

CVE-2018-16300

CVE-2018-16452

27 February 2020

15679281

6.7 U3d

(Security fixes for Photon OS)

libxslt

1.1.29-8

CVE-2019-5815

sysstat

12.2.0-1

CVE-2019-19725

26 March 2020

15808844

6.7 U3e

(Security fixes for Photon OS)

libsolv

0.6.19-7

CVE-2019-20387

xerces-c

3.2.2-1

CVE-2018-1311

libxml2

2.9.10-2

CVE-2020-7595

CVE-2019-19956

CVE-2019-20388

cpio

2.12-3

 CVE-2019-14866

28 April 2020

 16046470

6.7 U3g

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

httpd

2.4.41-1

CVE-2019-10082

 CVE-2019-10081

 CVE-2019-10098

CVE-2019-10092

python3

3.5.6-13

CVE-2019-16056

CVE-2019-17514

python2

2.7.15-13

CVE-2019-16056

CVE-2019-17514

CVE-2019-16935

CVE-2019-5010

linux

4.4.213-2

CVE-2019-14835

CVE-2019-17666

CVE-2019-14821

CVE-2018-20976

CVE-2019-19066

tar

1.29-4

CVE-2016-6321

libpcap

1.9.1-1

CVE-2019-15161

CVE-2019-15165

CVE-2019-15164

CVE-2019-15162

CVE-2019-15163

file

5.24-4

CVE-2016-6321

curl

7.59.0-9

CVE-2019-5482 

CVE-2019-5481

ruby

2.5.7-1

CVE-2019-15845

CVE-2019-16255

CVE-2019-16201

sqlite-autoconf

3.31.1-1

CVE-2019-19317

CVE-2019-19603

 CVE-2019-19646

 CVE-2019-20218

CVE-2019-19880

CVE-2019-19645

sudo

1.8.30-1

CVE-2019-19234 

CVE-2019-19232

dbus

1.13.6-2

CVE-2019-12749

28 May 2020

16275304

6.7 U3h

(Security fixes for Photon OS)

unzip

6.0-12

CVE-2014-8139

 CVE-2014-8141 

CVE-2014-8140

gdb

7.8.2-10

CVE-2019-1010180

30 July 2020

16616482

6.7 U3i

(Security fixes for Photon OS)

vim

7.4-13

CVE-2019-20807

 

 

20 August 2020

 

 

16708996

6.7 U3j

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

 

 

ncurses

6.0-10

CVE-2019-17594

cyrus-sasl

2.1.26-12

CVE-2019-19906

file

5.38-1

CVE-2019-8904

linux

4.4.224-1

CVE-2020-11565

CVE-2020-11668

CVE-2019-19319

CVE-2020-12464

CVE-2020-12770

ntp

4.2.8p14-1

CVE-2020-11868

openldap

2.4.43-4

CVE-2020-12243

ruby

2.5.8-1

CVE-2020-10663

CVE-2020-10933

glibc

2.22-29

CVE-2020-1752

CVE-2020-10029

json-c

0.13.1-1

CVE-2020-12762

 

sqlite-autoconf

 

 

3.32.1-1

 

CVE-2020-11655

CVE-2020-13434

CVE-2020-13435

CVE-2020-13631

CVE-2020-13632

 CVE-2020-13630

expat

2.2.9-1

 CVE-2019-15903

openssh

7.4p1-12

CVE-2020-12062

systemd

     

228-59

     

CVE-2020-1712

 CVE-2020-13776

CVE-2019-20386

httpd

2.4.43-1

CVE-2020-1934

PyYAML

3.12-5

    CVE-2020-1747

perl

5.24.1-6

   CVE-2020-10543

   CVE-2020-10878

   CVE-2020-12723

22 October 2020

17028579

6.7 U3k

(Security fixes for Photon OS)

libxml2

2.9.10-3

CVE-2020-24977

19 November 2020

17138064

6.7 U3l

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

bindutils

9.16.6-1

CVE-2020-8623

CVE-2020-8624

cifs-utils

6.4-3

CVE-2020-14342

gnutls

3.5.15-5

CVE-2020-11501

postgresql

9.6.19-1

CVE-2020-14350

CVE-2020-14349

linux

4.4.234-5

CVE-2019-19816

CVE-2019-19813

CVE-2020-14390

grub2

2.04-1

CVE-2020-10713

CVE-2020-14310

CVE-2020-14309

CVE-2020-15705

CVE-2020-14311

CVE-2020-15707

CVE-2020-15706

CVE-2020-14308

httpd

2.4.46-1

CVE-2020-11984

CVE-2020-11993

linux-esx

4.4.234-5

CVE-2019-19816

 CVE-2019-19813

net-snmp

5.7.3-11

CVE-2019-20892

python2

2.7.15-17

CVE-2019-20907

python3

3.5.6-16

CVE-2020-14422

CVE-2019-20907

python-Twisted

17.1.0-9

CVE-2020-10108

CVE-2020-10109

 CVE-2019-12855

CVE-2019-12387

sqlite-autoconf

3.32.1-2

CVE-2020-15358

18 March 2021

 

17713310

 

6.7 U3m

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

 

atftp

0.7.1-10.ph1

CVE-2020-6097

curl

7.59.0-12.ph1

CVE-2020-8286
CVE-2020-8285
CVE-2020-8284

dnsmasq

2.82-1.ph1

CVE-2020-25681
CVE-2020-25682
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
CVE-2020-25687
CVE-2020-25683

glib

2.58.3-2.ph1

CVE-2020-35457

glibc

2.22-32.ph1

CVE-2020-29573
CVE-2019-25013

linux

4.4.250-1.ph1 

CVE-2020-29661
CVE-2020-36158

openldap

2.4.43-5.ph1

CVE-2020-25692

openssl

1.0.2x-2.ph1

CVE-2020-1971

postgresql

9.6.20-1.ph1

CVE-2020-25694
CVE-2020-25695

postgresql-libs

9.6.20-1.ph1

CVE-2020-25694
CVE-2020-25695

python3

3.5.6-18.ph1

CVE-2020-27619

python3-devel

3.5.6-18.ph1

CVE-2020-27619

python3-libs

3.5.6-18.ph1

CVE-2020-27619

ruby

2.5.8-2.ph1

CVE-2020-25613

sudo

1.9.5-2.ph1

CVE-2021-23240

tcpdump

4.9.3-2.ph1

CVE-2020-8037

23 November 2021

18831133

6.7 U3p

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

util-linux

2.27.1-7.ph1

CVE-2021-37600

curl

7.78.0-2.ph1

CVE-2021-22945

CVE-2021-22947

 CVE-2021-22946

httpd

2.4.48-2.ph1

CVE-2021-33193

cpio

2.13-1.ph1

CVE-2021-38185

 

 

 

 

 

 

 

 

 

 

 

 

 

14 June 2022

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

19832974

 

 

 

 

 

 

  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6.7 U3r

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

 

 

 

 

 

 

atftp

0.7.1-11

CVE-2021-41054

bindutils

9.16.22-1

  CVE-2021-41054

expat

2.2.9-8

CVE-2022-22824

CVE-2022-22823

CVE-2022-22822

CVE-2022-22827

CVE-2022-22826

CVE-2022-22825

CVE-2021-46143

CVE-2021-45960

glibc

2.22-39

CVE-2019-9192

CVE-2018-20796

CVE-2009-5155

 CVE-2016-10228

CVE-2015-8985

CVE-2019-19126

CVE-2010-3192

httpd

2.4.53-1

CVE-2021-44790

CVE-2021-44224

libgcrypt

1.7.6-8

CVE-2018-6829

CVE-2021-40528

libxml2

2.9.11-3

CVE-2021-3518 

CVE-2021-3517

CVE-2019-19956

CVE-2018-14404

CVE-2021-3541

CVE-2022-3541

linux

4.4.302-1

CVE-2021-3653

CVE-2021-0929

CVE-2021-40490

CVE-2021-0941

CVE-2021-39656

CVE-2020-26145

CVE-2020-26141

CVE-2021-28715

CVE-2021-28714

CVE-2021-28713

CVE-2021-28712

CVE-2021-28711

CVE-2021-0920

CVE-2021-33098

CVE-2021-28951

CVE-2020-36322

CVE-2016-10723

CVE-2019-19036

CVE-2018-13095

CVE-2021-39633

CVE-2021-38198

CVE-2021-35477

CVE-2021-34556

CVE-2021-29155

CVE-2020-8832

CVE-2020-36310

CVE-2020-12655

CVE-2020-12364

CVE-2020-12363

CVE-2015-1350

CVE-2020-12888

CVE-2021-20317

CVE-2021-39636

CVE-2021-39648

CVE-2021-3655

CVE-2015-2877

CVE-2021-4083

ncurses

6.0-11

CVE-2021-39537

nss

3.44-5

CVE-2021-43527

openssh

7.4p1-13

CVE-2021-41617

CVE-2020-14145

python3-urllib3

3-1.26.6-1

CVE-2018-20060

CVE-2021-33503

CVE-2019-11324

CVE-2020-26137

CVE-2019-11236

python3-Pygments

2.9.0-1

CVE-2021-27291

CVE-2021-20270

runc

1.0.0.rc93-5

CVE-2022-23806 

CVE-2022-23772

CVE-2022-24921

CVE-2022-23773

CVE-2021-44716

CVE-2021-41772

CVE-2021-41771

CVE-2021-44717 

6th October 2022 20540798

6.7 U3s

(Security fixes for Photon OS are listed here. For details on other fixes, click here)

httpd 2.4.54-1

CVE-2022-31813

CVE-2022-28615

linux 4.4.302-2

CVE-2022-20153

CVE-2022-20166

CVE-2022-20154

CVE-2022-20148

CVE-2022-1998

CVE-2022-32296

CVE-2022-1943

CV-2022-1966

CVE-2022-1789

CVE-2022-1786

CVE-2022-1678

CVE-2022-29581

CVE-2022-1734

CVE-2022-30594

CVE-2021-6401

CVE-2022-29968

CVE-2022-29582

CVE-2022-20008

CVE-2022-28796

CVE-2022-1419

CVE-2022-1353

CVE-2022-2889

CVE-2022-1280

CVE-2021-0707

CVE-2022-28356

CVE-2021-33061

CVE-2021-39714

CVE-2022-1015

CVE-2022-0494

CVE-022-0854

CVE-2022-0742

CVE-2021-39711

CVE-2022-1011

CVE-2022-0995

CVE-2021-4023

CVE-2022-23960

CVE-2022-2342

CVE-2022-23041

CVE-2022-23040

CVE-2022-23039

CVE-2022-23038

CVE-2022-23037

CVE-2022-23036

CVE-2022-0500

CVE-2021-39713

CVE-2022-0002

CVE-2022-0001

CVE-2022-24448

CVE-2021-4148

CVE-2021-4197

CVE-2021-4150

CVE-221-4149

CVE-2021-39633

CVE-2021-39636

CVE-2021-39656

CVE-2021-39648

CVE-2021-33098

CVE-2021-0941

CVE-2021-0317

CVE-2021-35477

CVE-2021-34556

CVE-2020-26145

CVE-2020-26141

CVE-2021-29155

CVE-2021-28951

CVE-2020-1264

CVE-2020-12363

CVE-2015-1350

CVE-2020-8832

CVE-2015-2877

CVE-2018-13095

CVE-2016-10723

CVE-2020-12655

CVE-2019-19036

openldap 2.4.57-3

CVE-2022-29155

audit 2.5.2-3 CVE-2022-24921
bindutils 9.16.27-1 CVE-2021-45078
The above listed patches are cumulative. The content of the latest patch will accumulate the content from prior patches as well.
check-circle-line exclamation-circle-line close-line
Scroll to top icon