Hey everyone! Our team needs to update VMware Tools due to some recent CVEs. We've been using open-vm-tools on our Linux machines, but the updates usually come through the distro package manager, which doesn't always provide the latest version we need. Is there a reliable way to update open-vm-tools without waiting for the latest versions to be available in the official repositories? Any advice would be greatly appreciated!
5 Answers
You could set up your own repo for the hosts and package the latest version from a tarball. This approach can even be automated! Just keep in mind, sometimes the updates might cause new issues that could be worse than the original bugs they aim to fix.
If you're using a reliable distribution, they usually backport security fixes. Make sure to check the CVE statuses on their security tracker for peace of mind.
I prefer open-vm-tools, but from a compliance standpoint, VMware's official tools get quicker support and updates. That's why our organization only utilizes VMware tools instead of open-vm-tools.
If you're sticking with the distro package, just follow their release schedule. They generally provide backed-up security fixes for critical vulnerabilities.
Is this the CVE in question? I think unless you're in a strict regulatory environment, pushing for immediate updates might just be riskier in the long run. I suggest waiting for the distro to update, or temporarily uninstalling the package if needed. Open-vm-tools are handy, but not essential; going rogue can lead to potential dependency issues. A low-risk vulnerability like this might not warrant immediate action, especially if the risks of updating out-of-band outweigh the benefits.
That's the main reason I avoid it. There's a big risk of dependency conflicts in production environments. Better to let the distro manage those updates.