Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
APPLE-SA-2010-01-19-1 Security Update 2010-001
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

APPLE-SA-2010-01-19-1 Security Update 2010-001



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-01-19-1 Security Update 2010-001

Security Update 2010-001 is now available and addresses the
following:

CoreAudio
CVE-ID:  CVE-2010-0036
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact:  Playing a maliciously crafted mp4 audio file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow exists in the handling of mp4 audio
files. Playing a maliciously crafted mp4 audio file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Tobias
Klein of trapkit.de for reporting this issue.

CUPS
CVE-ID:  CVE-2009-3553
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact:  A remote attacker may cause an unexpected application
termination of cupsd
Description:  A use-after-free issue exists in cupsd. By issuing a
maliciously crafted get-printer-jobs request, an attacker may cause a
remote denial of service. This is mitigated through the automatic
restart of cupsd after its termination. This issue is addressed
through improved connection use tracking.

Flash Player plug-in
CVE-ID:  CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798,
CVE-2009-3799, CVE-2009-3800, CVE-2009-3951
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact:  Multiple vulnerabilities in Adobe Flash Player plug-in
Description:  Multiple issues exist in the Adobe Flash Player plug-
in, the most serious of which may lead to arbitrary code execution
when viewing a maliciously crafted web site. The issues are addressed
by updating the Flash Player plug-in to version 10.0.42. Further
information is available via the Adobe web site at
http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit
to an anonymous researcher and Damian Put working with TippingPoints
Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global
Security Research Team, Will Dormann of CERT, Manuel Caballero and
Microsoft Vulnerability Research (MSVR).

ImageIO
CVE-ID:  CVE-2009-2285
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer underflow exists in ImageIO's handling of TIFF
images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.2.

Image RAW
CVE-ID:  CVE-2010-0037
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact:  Viewing a maliciously crafted DNG image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow exists in Image RAW's handling of DNG
images. Viewing a maliciously crafted DNG image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Jason
Carr of Carnegie Mellon University Computing Services for reporting
this issue.

OpenSSL
CVE-ID:  CVE-2009-3555
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact:  An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description:  A man-in-the-middle vulnerability exists in the SSL and
TLS protocols. Further information is available
at http://www.phonefactor.com/sslgap A change to the renegotiation
protocol is underway within the IETF. This update disables
renegotiation in OpenSSL as a preventive security measure. The issue
does not affect services using Secure Transport as it does not
support renegotiation. Credit to Steve Dispensa and Marsh Ray of
PhoneFactor, Inc. for reporting this issue.


Security Update 2010-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.5.8
The download file is named: SecUpd2010-001.dmg
Its SHA-1 digest is: f3f5061ca161355c8a5f1d1a52d5e8a9e604a30d

For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-001.dmg
Its SHA-1 digest is: 32c5ecdb0aeabe0f4eaa061a271242b6d96d8ba1

For Mac OS X v10.6.2 and Mac OS X Server v10.6.2
The download file is named: SecUpd2010-001Snow.dmg
Its SHA-1 digest is: 8c1f0a08edf557d9242974e925ff58deb5e5dbf2

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQEcBAEBAgAGBQJLVgCAAAoJEHkodeiKZIkBWDkH/2C0cMXWVasLqk+z3c7UGP6T
Y3749YLbz4nw201ElUkiMJalR7jdnz1GJkjgORrIev9U5nDozNdkrOdqEkW/DOUl
6fGitHWx8zYDBgQqVSeTz70w2AFosRBeHpEUW2QDUnBs2wC7LpWuIgFshPb8F5Oi
sJCg+oCMGMY51x+PQjoMqO+guCowNNdFG/ibhnOfni33QYVQXgowhnOqsoouoGoS
BorD9Utpqf1W94sxqt2OsKFuWoDyHUkxBVB73EWQ3NWWnCpR50nQP5aNaZQqDZc8
o1LinGLWBwaIkssc7YR8jvHkZVeUQ4a+dBGjxjg0t/ntzjvhUnOB+LlJ0Lx1A4I=
=eH9l
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.