Sign up for Security

Enter your email address:


ESX Service Console and vMA updates for nss and nspr

VMware Security Advisory
Advisory ID: VMSA-2010-0001.1
Synopsis: ESX Service Console and vMA updates for nss and nspr
Issue date: 2010-03-03
Updated on: 2010-01-06 (initial release of advisory)
CVE numbers: CVE-2009-2409 CVE-2009-2408 CVE-2009-2404
CVE-2009-1563 CVE-2009-3274 CVE-2009-3370
CVE-2009-3372 CVE-2009-3373 CVE-2009-3374
CVE-2009-3375 CVE-2009-3376 CVE-2009-3380
1. Summary
Update for Service Console and vMA for nss and nspr packages.
2. Relevant releases
VMware ESX 4.0 without patch ESX400-200912403-SG

vMA without Patch 3
3. Problem Description
a. Update for Service Console packages nss and nspr
Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss- and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR.

The Common Vulnerabilities and Exposures Project ( has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, and CVE-2009-3382 to these issues.

VMware Product Product Version Running on Replace with/ Apply Patch
============= ======= ======= =================
VirtualCenter any Windows not affected
hosted* any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200912403-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 3

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
ESX 4.0
md5sum: 78c6cf139b7941dc736c9d3a41deae77
sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59

To install an individual bulletin use esxupdate with the -b option.
esxupdate -b ESX400-200912403-SG
update vMA 4.0
To update VIMA
1 Log in to VIMA as vi-admin.
2 type 'sudo /usr/sbin/vima-update update' this will apply all currently available updates. See for more information.
5. References
6. Change log
2010-01-06 VMSA-2010-0001
Initial security advisory after release of patch ESX400-200912403-SG for ESX 4.0 on 2010-01-06.
2010-03-03 VMSA-2010-0001.1
Updated advisory after release of vMA Patch 3 on 2010-02-25.
7. Contact
E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

* security-announce at
* bugtraq at
* full-disclosure at

E-mail: security at
PGP key at:

VMware Security Center

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2010 VMware Inc. All rights reserved.