VMware has released security advisory VMSA-2009-0008. The advisory is for a vulnerability in an MIT Kerberos 5 package in the service console. The advisory explains:

An input validation flaw in the asn1_decode_generaltime function in MIT Kerberos 5 before 1.6.4 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service.
NOTE: ESX by default is unaffected by this issue, the daemons kadmind and krb5kdc are not installed in ESX.

The advisory goes on to state that all currently supported version of ESX (not ESXi) are affected.
For ESX 3.5 the patch: ESX 3.5.0 ESX350-200906407-SG
md5sum: 6b8079430b0958abbf77e944a677ac6b
KB Article: VMware ESX 3.5, Patch ESX350-200906407-BG: Updates krb5-libs and pam_krb5

For ESX 2.5.5, 3.0.2, 3.0.3 and 4.0 patches are pending.

You can subscribe to VMware Security announcments here: http://lists.vmware.com/mailman/listinfo/security-announce