Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
APPLE-SA-2007-11-14 Mac OS X v10.4.11 and Security Update 2007-008
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

APPLE-SA-2007-11-14 Mac OS X v10.4.11 and Security Update 2007-008



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-11-14 Mac OS X v10.4.11 and Security Update 2007-008

Mac OS X v10.4.11 and Security Update 2007-008 are now available and
provide fixes for the following security issues. Mac OS X v10.4.11
also provides additional functionality changes, and information is
available in its release note.

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.11 or Security Update 2007-008.

AppleRAID
CVE-ID: CVE-2007-4678
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Opening a maliciously crafted disk image may lead to an
unexpected system shutdown
Description: A null pointer dereference issue in AppleRAID may be
triggered when mounting a striped disk image. This may lead to an
unexpected system shutdown. Note that Safari will automatically mount
disk images when "Open `safe' files after downloading" is enabled.
This update addresses the issue by performing additional validation
of disk images. Credit to Mark Tull of SSAM1 at University of
Hertfordshire, and Joel Vink of Zetera Corporation for reporting this
issue.

BIND
CVE-ID: CVE-2007-2926
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: An attacker may be able to control the content provided by a
DNS server
Description: ISC BIND 9 through 9.5.0a5 uses a weak random number
generator during the creation of DNS query IDs when answering
resolver questions or sending NOTIFY messages to slave name servers.
This makes it easier for remote attackers to guess the next query ID
and perform DNS cache poisoning. This update addresses the issue by
improving the random number generator.

bzip2
CVE-ID: CVE-2005-0953, CVE-2005-1260
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Multiple vulnerabilities in bzip2
Description: bzip2 has been updated to version 1.0.4 to address a
remote denial of service, and a race condition which occurs during
modification of file permissions. Further information is available
via the bzip2 web site at http://bzip.org/

CFFTP
CVE-ID: CVE-2007-4679
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
A user's FTP client could be remotely controlled to connect to other
hosts
Description: An implementation issue exists in the File Transfer
Protocol (FTP) portion of CFNetwork. By sending maliciously crafted
replies to FTP PASV (passive) commands, FTP servers are able to cause
clients to connect to other hosts. This update addresses the issue by
performing additional validation of IP addresses. This issue does not
affect systems prior to Mac OS X v10.4. Credit to Dr Bob Lopez PhD
for reporting this issue.

CFNetwork
CVE-ID: CVE-2007-4680
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A remote attacker may be able to cause an untrusted
certificate to appear trusted
Description: An issue exists in the validation of certificates. A
man-in-the-middle attacker may be able to direct the user to a
legitimate site with a valid SSL certificate, then re-direct the user
to a spoofed web site that incorrectly appears to be trusted. This
could allow user credentials or other information to be collected.
This update addresses the issue through improved validation of
certificates. Credit to Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C for reporting this issue.

CFNetwork
CVE-ID: CVE-2007-0464
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Parsing HTTP replies using the CFNetwork framework may result
in an unexpected application termination
Description: A null pointer dereference issue exists in the CFNetwork
framework. By enticing a user to use a vulnerable application to
connect to a malicious server, an attacker may cause an unexpected
application termination. There are no known vulnerable applications.
This issue does not lead to arbitrary code execution. This has been
described on the Month of Apple Bugs web site (MOAB-25-01-2007). This
update addresses the issue by performing additional validation of
HTTP replies. This issue does not affect systems prior to
Mac OS X v10.4.

CoreFoundation
CVE-ID: CVE-2007-4681
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Reading a directory hierarchy may lead to an unexpected
application termination or arbitrary code execution
Description: A one byte buffer overflow may occur in CoreFoundation
when listing the contents of a directory. By enticing a user to read
a maliciously crafted directory hierarchy, an attacker may cause an
unexpected application termination or arbitrary code execution. This
update addresses the issue by ensuring that the destination buffer is
sized to contain the data.

CoreText
CVE-ID: CVE-2007-4682
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Viewing maliciously crafted text content may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized object pointer vulnerability exists in
the handling of text content. By enticing a user to view maliciously
crafted text content, an attacker may cause an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of object pointers. Credit
to Will Dormann of the CERT/CC for reporting this issue.

Flash Player Plug-in
CVE-ID: CVE-2007-3456
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Opening maliciously crafted Flash content may lead to
arbitrary code execution
Description: An input validation issue exists in Adobe Flash Player.
By enticing a user to open maliciously crafted Flash content, an
attacker may cause arbitrary code execution. This update addresses
the issue by updating Adobe Flash Player to version 9.0.47.0. Further
information is available via the Adobe web site at
http://www.adobe.com/support/security/bulletins/apsb07-12.html

Kerberos
CVE-ID: CVE-2007-3999, CVE-2007-4743
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A remote attacker may be able to cause a denial of service or
arbitrary code execution if the Kerberos administration daemon is
enabled
Description: A stack buffer overflow exists in the MIT Kerberos
administration daemon (kadmind), which may lead to an unexpected
application termination or arbitrary code execution with system
privileges. Further information is available via the MIT Kerberos
website at http://web.mit.edu/Kerberos/ This issue does not affect
systems prior to Mac OS X v10.4.

Kernel
CVE-ID: CVE-2007-3749
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: When executing a privileged binary, the kernel does not
reset the current Mach thread port or thread exception port. As a
result, a local user may be able to write arbitrary data into the
address space of the process running as system, which could lead to
arbitrary code execution with system privileges. This update
addresses the issue by resetting all the special ports that need to
be reset. Credit to an anonymous researcher working with the VeriSign
iDefense VCP for reporting this issue.

Kernel
CVE-ID: CVE-2007-4683
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Processes restricted via the chroot system call may access
arbitrary files
Description: The chroot mechanism is intended to restrict the set of
files that a process can access. By changing the working directory
using a relative path, an attacker may bypass this restriction. This
update addresses the issue by through improved access checks. Credit
to Johan Henselmans and Jesper Skov for reporting this issue.

Kernel
CVE-ID: CVE-2007-4684
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A local user may obtain system privileges
Description: An integer overflow exists within the i386_set_ldt
system call, which may allow a local user to execute arbitrary code
with elevated privileges. This update addresses the issue through
improved validation of input arguments. Credit to RISE Security for
reporting this issue.

Kernel
CVE-ID: CVE-2007-4685
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A local user may obtain system privileges
Description: An issue exists in the handling of standard file
descriptors while executing setuid and setgid programs. This could
allow a local user to obtain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
This update addresses the issue by initializing standard file
descriptors to a known state when executing setuid or setgid
programs. Credit to Ilja van Sprundel formerly of Suresec Inc.
reporting this issue.

Kernel
CVE-ID: CVE-2006-6127
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A local user may be able to cause an unexpected system
shutdown
Description: An implementation issue exists in kevent() when
registering a NOTE_TRACK kernel event with a kernel event queue
created by a parent process. This could allow a local user to cause
an unexpected system shutdown. This issue has been described on the
Month of Kernel Bugs web site (MOKB-24-11-2006). This update
addresses the issue by removing support for NOTE_TRACK event.

Kernel
CVE-ID: CVE-2007-4686
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Maliciously crafted ioctl requests may lead to an unexpected
system shutdown or arbitrary code execution with system privileges
Description: An integer overflow exists in the handling of an ioctl
request. By sending a maliciously crafted ioctl request, a local user
may cause an unexpected system shutdown or arbitrary code execution
with system privileges. This update addresses the issue by performing
additional validation of ioctl requests. Credit to Tobias Klein of
www.trapkit.de for reporting this isssue.

Networking
CVE-ID: CVE-2007-4688
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A remote user may obtain all addresses of a host
Description: An implementation issue exists in the Node Information
Query mechanism, which may allow a remote user to query for all
addresses of a host, including link-local addresses. This update
addresses the issue by dropping node information queries from systems
not on the local network. Credit to Arnaud Ebalard of EADS Innovation
Works for reporting this issue.

Networking
CVE-ID: CVE-2007-4269
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: If AppleTalk is enabled, a local user may cause an unexpected
system shutdown or arbitrary code execution with system privileges
Description: An integer overflow exists in the handling of ASP
messages with AppleTalk. By sending a maliciously crafted ASP message
on an AppleTalk socket, a local user may cause an unexpected system
shutdown or arbitrary code execution with system privileges. This
update addresses the issue by performing additional validation of ASP
messages. Credit to Sean Larsson of VeriSign iDefense Labs for
reporting this issue.

Networking
CVE-ID: CVE-2007-4689
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Certain IPV6 packets may cause an unexpected system shutdown
or arbitrary code execution
Description: A double-free issue exists in the handling of certain
IPV6 packets, which may lead to an unexpected system shutdown or
arbitrary code execution with system privileges. This update
addresses the issue through improved handling of IPV6 packets. This
issue does not affect systems with Intel processors. Credit to
Bhavesh Davda of VMware, and Brian "chort" Keefer of Tumbleweed
Communications for reporting this issue.

Networking
CVE-ID: CVE-2007-4267
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: If AppleTalk is enabled and in routing mode, a local user may
cause an unexpected system shutdown or arbitrary code execution
Description: Adding a new AppleTalk zone could trigger a stack buffer
overflow issue. By sending a maliciously crafted ioctl request to an
AppleTalk socket, a local user may cause an unexpected system
shutdown or arbitrary code execution with system privileges. This
update addresses the issue in AppleTalk through improved bounds
checking on ioctl requests. Credit to an anonymous researcher working
with the VeriSign iDefense VCP for reporting this issue.

Networking
CVE-ID: CVE-2007-4268
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: If AppleTalk is enabled, a local user may cause an unexpected
system shutdown or arbitrary code execution with system privileges
Description: An arithmetic error exists in AppleTalk when handling
memory allocations, which may lead to a heap buffer overflow. By
sending a maliciously crafted AppleTalk message, a local user may
cause an unexpected system shutdown or arbitrary code execution with
system privileges. This update addresses the issue through improved
bounds checking on AppleTalk messages. Credit to Sean Larsson of
VeriSign iDefense Labs for reporting this issue.

NFS
CVE-ID: CVE-2007-4690
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A maliciously crafted AUTH_UNIX RPC call may lead to an
unexpected system shutdown or arbitrary code execution
Description: A double free issue in NFS may be triggered when
processing an AUTH_UNIX RPC call. By sending a maliciously crafted
AUTH_UNIX RPC call via TCP or UDP, a remote attacker may cause an
unexpected system shutdown or arbitrary code execution. This update
addresses the issue by through improved validation of AUTH_UNIX RPC
packets. Credit to Alan Newson of NGSSoftware, and Renaud Deraison of
Tenable Network Security, Inc. for reporting this issue.

NSURL
CVE-ID: CVE-2007-4691
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a malicious web site may result in arbitrary code
execution
Description: A case-sensitivity issue exists in NSURL when
determining if a URL references the local file system. This may cause
a caller of the API to make incorrect security decisions, potentially
leading to the execution of files on the local system or network
volumes without appropriate warnings. This update addresses the issue
by using a case insensitive comparison.

remote_cmds
CVE-ID: CVE-2007-4687
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: If tftpd is enabled, the default configuration allows clients
to access any path on the system
Description: By default, the /private/tftpboot/private directory
contains a symbolic link to the root directory, which allows clients
to access any path on the system. This update addresses the issue by
removing the /private/tftpboot/private directory. Credit to James P.
Javery of Stratus Data Systems, Inc. for reporting this issue.

Safari
CVE-ID: CVE-2007-0646
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Opening a .download file with a maliciously crafted name may
lead to an unexpected application termination or arbitrary code
execution
Description: A format string vulnerability exists in Safari. By
enticing a user to open a .download file with a maliciously crafted
name, an attacker may cause an unexpected application termination or
arbitrary code execution. This has been described on the Month of
Apple Bugs web site (MOAB-30-01-2007). This update addresses the
issue through improved handling of format strings.

Safari
CVE-ID: CVE-2007-4692
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: An issue in Safari Tabbed browsing may lead to the disclosure
of user credentials
Description: An implementation issue exists in the Tabbed browsing
feature of Safari. If HTTP authentication is used by a site being
loaded in a tab other than the active tab, an authentication sheet
may be displayed although the tab and its corresponding page are not
visible. The user may consider the sheet to come from the currently
active page, which may lead to the disclosure of user credentials.
This update addresses the issue through improved handling of
authentication sheets. Credit to Michael Roitzsch of Technical
University Dresden for reporting this issue.

SecurityAgent
CVE-ID: CVE-2007-4693
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A person with physical access to a system may be able to
bypass the screen saver authentication dialog
Description: When waking a computer from sleep or screen saver, a
person with physical access may be able to send keystrokes to a
process running behind the screen saver authentication dialog. This
update addresses the issue through improved handling of keyboard
focus between secure text fields. Credit to Faisal N. Jawdat for
reporting this issue.

WebCore
CVE-ID: CVE-2007-4694
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Local files may be loaded from remote content
Description: Safari does not block file:// URLs when loading
resources. By enticing a user to visit a maliciously crafted website,
a remote attacker may view the content of local files, which may lead
to the disclosure of sensitive information. This update addresses the
issue by preventing local files from being loaded from remote
content. Credit to lixlpixel for reporting this issue.

WebCore
CVE-ID: CVE-2007-4695
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Uploading a maliciously crafted file may allow the tampering
of form data
Description: An input validation issue exists in the handling of HTML
forms. By enticing a user to upload a maliciously crafted file, an
attacker may alter the values of form fields, which may lead to
unexpected behavior when the form is processed by the server. This
update addresses the issue through improved handling of file uploads.
Credit to Bodo Ruskamp of Itchigo Communications GmbH for reporting
this issue.

WebCore
CVE-ID: CVE-2007-4696
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to the disclosure of
sensitive information
Description: A race condition exists in Safari's handling of page
transitions. By enticing a user to visit a malicious web page, an
attacker may be able to obtain information entered in forms on other
web sites, which may lead to the disclosure of sensitive information.
This update addresses the issue by properly clearing form data during
page transitions. Credit to Ryan Grisso of NetSuite for reporting
this issue.

WebCore
CVE-ID: CVE-2007-4697
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of the
browser's history. By enticing a user to visit a maliciously crafted
web page, an attacker may cause an unexpected application termination
or arbitrary code execution. Credit to David Bloom for reporting this
issue.

WebCore
CVE-ID: CVE-2007-4698
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a malicious website may result in cross-site
scripting
Description: Safari allows JavaScript events to be associated with
the wrong frame. By enticing a user to visit a maliciously crafted
web page, an attacker may cause the execution of JavaScript in the
context of another site. This update addresses the issue by
associating JavaScript events with the correct source frame.

WebCore
CVE-ID: CVE-2007-3758
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to cross-site scripting
Description: A cross-site scripting issue in Safari allows malicious
websites to set JavaScript window properties of websites served from
a different domain. By enticing a user to visit a maliciously crafted
web page, an attacker may be able to get or set the window status and
location of pages served from other websites. This update addresses
the issue by providing improved access controls on these properties.
Credit to Michal Zalewski of Google Inc. for reporting this issue.

WebCore
CVE-ID: CVE-2007-3760
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a malicious website may result in cross-site
scripting
Description: A cross-site scripting issue in Safari allows a
malicious website to bypass the same origin policy by hosting
embedded objects with javascript URLs. By enticing a user to visit a
maliciously crafted web page, an attacker may cause the execution of
JavaScript in the context of another site. This update addresses the
issue by restricting the use of the javascript URL scheme and adding
additional origin validation for these URLs. Credit to Michal
Zalewski of Google Inc. and Secunia Research for reporting this
issue.

WebCore
CVE-ID: CVE-2007-4671
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: JavaScript on websites may access or manipulate the contents
of documents served over HTTPS
Description: An issue in Safari allows content served over HTTP to
alter or access content served over HTTPS in the same domain. By
enticing a user to visit a maliciously crafted web page, an attacker
may cause the execution of JavaScript in the context of HTTPS web
pages in that domain. This update addresses the issue by preventing
JavaScript access from HTTP to HTTPS frames. Credit to Keigo Yamazaki
of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting
this issue.

WebCore
CVE-ID: CVE-2007-3756
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to the disclosure of
URL contents
Description: Safari may allow a web page to read the URL that is
currently being viewed in its parent window. By enticing a user to
visit a maliciously crafted web page, an attacker may be able to
obtain the URL of an unrelated page. This update addresses the issue
through an improved cross-domain security check. Credit to Michal
Zalewski of Google Inc. and Secunia Research for reporting this
issue.

WebKit
CVE-ID: CVE-2007-4699
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: Unauthorized applications may access private keys added to
the keychain by Safari
Description: By default, when Safari adds a private key to the
keychain, it allows all applications to access the key without
warning. This update addresses the issue by asking the user for
permission when applications other than Safari attempt to use the
key.

WebKit
CVE-ID: CVE-2007-4700
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A malicious website may be able to cause Safari to send
remotely specified data to arbitrary TCP ports
Description: Safari may allow a malicious website to send remotely
specified data to arbitrary TCP ports. This update addresses the
issue by blocking access to certain ports. Credit to Kostas G.
Anagnostakis of Institute for Infocomm Research, Singapore, and
Spiros Antonatos of FORTH-ICS, Greece for reporting this issue.

WebKit
CVE-ID: CVE-2007-4701
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A local user may be able to read the content of opened PDF
files
Description: WebKit/Safari creates temporary files insecurely when
previewing a PDF file, which may allow a local user to access the
file's content. This may lead to the disclosure of sensitive
information. This update addresses the issue by This update addresses
the issue by using more restrictive permissions for temporary files
during PDF preview. Credit to Jean-Luc Giraud, and Moritz Borgmann of
ETH Zurich for reporting this issue.

Mac OS X v10.4.11 and Security Update 2007-008 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.11 or Security Update 2007-008.

For Mac OS X v10.4.10 (Intel)
The download file is named:  "MacOSXUpd10.4.11Intel.dmg"
Its SHA-1 digest is:  4c9103699c7925cc0277cffce4c7419a9d469c31

For Mac OS X v10.4.4 (Intel) through v10.4.9 (Intel)
The download file is named:  "MacOSXUpdCombo10.4.11Intel.dmg"
Its SHA-1 digest is:  9a869c44010996bcf1a645f5467dd1bc596924dd

For Mac OS X v10.4.10 (PowerPC)
The download file is named:  "MacOSXUpd10.4.11PPC.dmg"
Its SHA-1 digest is:  132d354637604c63d28b57e57e74aed1b21c9894

For Mac OS X v10.4 (PowerPC) through v10.4.9 (PowerPC)
The download file is named:  "MacOSXUpdCombo10.4.11PPC.dmg"
Its SHA-1 digest is:  3d403bfa769424c61a3cfac173f8527658f9d4af

For Mac OS X Server v10.4.10 (Universal)
The download file is named:  "MacOSXServerUpd10.4.11Univ.dmg"
Its SHA-1 digest is:  37bf2f081d773756472205146a037d1c8c52d45e

For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
The download file is named:  "MacOSXSrvrCombo10.4.11Univ.dmg"
Its SHA-1 digest is:  94a87bb6f7c73b68c2a8654a5c2642d7c5e82d56

For Mac OS X Server v10.4.10 (PowerPC)
The download file is named:  "MacOSXServerUpd10.4.11PPC.dmg"
Its SHA-1 digest is:  6dde722314da1eaf00f881f026cfe770044f6cda

For Mac OS X Server v10.4 through v10.4.9 (PowerPC)
The download file is named:  "MacOSXSrvrCombo10.4.11PPC.dmg"
Its SHA-1 digest is:  3aeb0fae441957c7a831365ad5af1b79b0d87720

For Mac OS X v10.3.9
The download file is named:  "SecUpd2007-008Pan.dmg"
Its SHA-1 digest is:  7049852014bb8d31fe8a3b2706e59c1e7d3aebcd

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2007-008Pan.dmg"
Its SHA-1 digest is:  d085bfc4bc59ca3c81495e9b7029381c3fa9b082

Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867

wsBVAwUBRztE4cgAoqu4Rp5tAQjJTAf9EesvmGlmlCEkWuObFmqyAv8QNhgABAhu
80ooZEyBzq+lZgNb6/bGB0zDH3qwPC1y8XQytDS/X2Px64Fn3B/QZWfB+JWZQSgk
1p4BqyeEgEPTPx+wap+MXGJ1Gxhy8RWPCAlIm4a6vWxC8/cTTk/rTW59zhtWxOvc
uNeubzcHwgMhFMNCrL88IIzMHzbTC0wVkqMUZVsiB2Rh18Lka0U0X974oNRGtjB9
yanzG898/eQAXZLoIqfIRE6OAasC4O3gVtp04npX4HNerd1Q379ou95YQLQC6su7
6qmiRDWmHt/v7FYklEO8GgJ72vzuSoy52srs6tn7EuZMK5aRYW3e7A==
=P5Hm
-----END PGP SIGNATURE-----

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.