VMWare released a new security advisory about a vulnerability in the krb5 (Kerberos) package. The vulnerability allows a remote attacker to cause a DoS or potentially execute arbitrary code on the ESX server.

According to the advisory available at http://lists.vmware.com/pipermail/security-announce/2009/000059.html all ESX versions are affected (ESXi is not affected), however, the Kerberos package is not installed by default.

There were two new updates were released today.  The first update addresses issues with openssl, vim, and bind; the second update addresses multiple issues.

The first update is for the VMware ESX 3.0.2 and 3.0.3 release, and the second update applies to the following releases:
   VMware Workstation 6.5.1 and earlier,
   VMware Player 2.5.1 and earlier,
   VMware ACE 2.5.1 and earlier,
   VMware Server 2.0,
   VMware Server 1.0.8 and earlier,
   VMware ESXi 3.5 without patches ESXe350-200811401-O-SG, ESXe350-200903201-O-UG
   VMware ESX 3.5 without patches ESX350-200811401-SG, ESX350-200903201-UG
   VMware ESX 3.0.3 without patch ESX303-200811401-BG
   VMware ESX 3.0.2 without patch ESX-1006980

For full details on both updates, please visit the lists.vmware.com website.