May 2006 - Security-announce

APPLE-SA-2006-05-23 Xcode Tools 2.3
by Apple Product Security 23 May '06

23 May '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-05-23 Xcode Tools 2.3 Xcode Tools 2.3 is now available. Along with functionality improvements (see release notes), it also fixes the following security issue: WebObjects CVE-ID: CVE-2006-1466 Available for: Mac OS X v10.4 and later Impact: If you install WebObjects developer tools, remote attackers may be able to obtain or modify WebObjects projects while Xcode is running Description: The WebObjects Xcode plug-in provides the ability to manipulate projects through a network service. This service is accessible to remote systems while Xcode is running. This update addresses the issue by limiting this service to the local system. This issue does not affect default installations of Xcode Tools. Only systems with the WebObjects plug-in installed are affected. Credit to Mike Schrag of mDimension Technology for reporting this issue. Xcode Tools 2.3 may be obtained from: http://developer.apple.com/tools/download/ The download file is named: "xcode_2.3_8m1780_oz693620813.dmg" Its SHA-1 digest is: aa768c0fb979eeb11c29f177f68c763fab14ea3f Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRHN0x4mzP5/bU5rtAQiQWAgAxi6ZaXuDsUe193U7AMZ6QXvjfsHm8ZiW QgTKmZz9kGzriS1nlepxSkNkCe5yWYLkrJ5qNQb7DTj1Gya+7clMHdWX/2fY56eS PLQ0V3K/0bhRO5qvpQGjeOFX77gxmhYtphWH3X+HhYPEzjVkWc6+11tyvwqGtP52 DJvDbytpqVlmlaGkKGQ5b2PhdlzZEuiqKNtzVvn0EN/1vM7/Ic93YAGkkn19K2Uh Jv4KhPWoj+52cL92Pp4GdjtRcdXr0Iw3rxtBW5/BU8XNat44+qmR9gm9hvZL6O84 aacs6vRHa29xekwn+VK56DpIrA96LlafzFWDE6TJFKp31Z2nAb5g2Q== =DWIH -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2006-05-11 Security Update 2006-003
by Apple Product Security 11 May '06

11 May '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-05-11 Security Update 2006-003 Security Update 2006-003 is now available and addresses the following issues: AppKit CVE-ID: CVE-2006-1439 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Characters entered into a secure text field can be read by other applications in the same window session Description: Under certain circumstances when switching between text input fields, NSSecureTextField may fail to re-enable secure event input. This may allow other applications in the same window session to see some input characters and keyboard events. This update addresses the issue by ensuring secure event input is properly enabled. This issue does not affect systems prior to Mac OS X v10.4. AppKit, ImageIO CVE-ID: CVE-2006-1982, CVE-2006-1983, CVE-2006-1984 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution Description: The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images. BOM CVE-ID: CVE-2006-1985 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Expanding an archive may lead to arbitrary code execution Description: By carefully crafting an archive (such as a Zip archive) containing long path names, an attacker may be able to trigger a heap buffer overflow in BOM. This may result in arbitrary code execution. BOM is used to handle archives in Finder and other applications. This update adresses the issue by properly handling the boundary conditions. BOM CVE-ID: CVE-2006-1440 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Expanding a malicious archive may cause arbitrary files to be created or overwritten Description: An issue in the handling of directory traversal symbolic links encountered in archives may cause BOM to create or overwrite files in arbitrary locations accessible to the user expanding the archive. BOM handles archives on behalf of Finder and other applications. This update addresses the issue by ensuring that files expanded from an archive are not placed outside the destination directory. CFNetwork CVE-ID: CVE-2006-1441 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Visiting malicious web sites may lead to arbitrary code execution Description: An integer overflow in the handling of chunked transfer encoding could lead to arbitrary code execution. CFNetwork is used by Safari and other applications. This update addresses the issue by performing additional validation. The issue does not affect systems prior to Mac OS X v10.4. ClamAV CVE-ID: CVE-2006-1614, CVE-2006-1615, CVE-2006-1630 Available for: Mac OS X Server v10.4.6 Impact: Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution Description: The ClamAV virus scanning software has been updated to incorporate security fixes in the latest release. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV. For more information, see the project web site at http://www.clamav.net. CoreFoundation CVE-ID: CVE-2006-1442 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Registration of an untrusted bundle may lead to arbitrary code execution Description: Under certain circumstances, bundles are implicitly registered by applications or the system. A feature of the bundle API allows dynamic libraries to load and execute when a bundle is registered, even if the client application does not explicitly request it. As a result, arbitrary code may be executed from an untrusted bundle without explicit user interaction. This update addresses the issue by only loading and executing libraries from the bundle at the appropriate time. CoreFoundation CVE-ID: CVE-2006-1443 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: String conversions to file system representation may lead to arbitrary code execution Description: An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions. CoreGraphics CVE-ID: CVE-2006-1444 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Characters entered into a secure text field can be read by other applications in the same window session Description: Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue. Finder CVE-ID: CVE-2006-1448 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Launching an Internet Location item may lead to arbitrary code execution Description: Internet Location items are simple URL containers which may reference http://, ftp://, and file:// URLs, as well as a few other URL schemes. These different types of Internet Location items are visually distinct, and meant to be safe to explicitly launch. However, the scheme of the URL may be different than the Internet Location type. As a result, an attacker may be able to convince a user to launch a supposedly benign item (such as a Web Internet Location, http://), with the result that some other URL scheme is actually used. In certain circumstances, this may lead to arbitrary code execution. This update addresses the issues by restricting the URL scheme based on the Internet Location type. FTPServer CVE-ID: CVE-2006-1445 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution Description: Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions. Flash Player CVE-ID: CVE-2005-2628, CVE-2006-0024 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Playing Flash content may lead to arbitrary code execution Description: Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at www.macromedia.com. This update addresses the issue by incorporating Flash Player version 8.0.24.0. ImageIO CVE-ID: CVE-2006-1552 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution Description: An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brent Simmons of NewsGator Technologies, Inc. for reporting this issue. Keychain CVE-ID: CVE-2006-1446 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: An application may be able to use Keychain items when the Keychain is locked Description: When a Keychain is locked, it is not possible for applications to access the Keychain items it contains without first requesting that the Keychain be unlocked. However, an application that has obtained a reference to a Keychain item prior to the Keychain being locked may, in certain circumstances, be able to continue using that Keychain item regardless of whether the Keychain is locked or unlocked. This update addresses the issue by rejecting requests to use Keychain items when the Keychain is locked. Credit to Tobias Hahn of HU Berlin for reporting this issue. LaunchServices CVE-ID: CVE-2006-1447 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Viewing a malicious web site may lead to arbitrary code execution Description: Long file name extensions may prevent Download Validation from correctly determining the application with which an item may be opened. As a result, an attacker may be able to bypass Download Validation and cause Safari to automatically open unsafe content if the "Open `safe' files after downloading" option is enabled and certain applications are not installed. This update addresses the issue through improved checking of the file name extension. This issue does not affect systems prior to Mac OS X v10.4. libcurl CVE-ID: CVE-2005-4077 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: URL handling in libcurl may lead to arbitrary code execution Description: The open source HTTP library libcurl contains buffer overflows in URL handling. Applications using curl for URL handling may trigger the issue and lead to arbitrary code execution. This update addresses the issue by incorporating libcurl version 7.15.1. This issue does not affect systems prior to Mac OS X v10.4. Mail CVE-ID: CVE-2006-1449 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Viewing a malicious mail message may lead to arbitrary code execution Description: By preparing a specially-crafted email message with MacMIME encapsulated attachments, an attacker may trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail. This issue corrects the issue by performing additional validation of messages. Mail CVE-ID: CVE-2006-1450 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Viewing a malicious mail message may lead to arbitrary code execution Description: The handling of invalid color information in enriched text email messages could cause the allocation and initialization of arbitrary classes. This may lead to arbitrary code execution with the privileges of the user running Mail. This update addresses the issue by properly handling malformed enriched text data. MySQL Manager CVE-ID: CVE-2006-1451 Available for: Mac OS X Server v10.4.6 Impact: MySQL database may be accessed with an empty password Description: During the initial setup of a MySQL database server using MySQL Manager, the "New MySQL root password" may be supplied. However, this password is not actually used. As a result, the MySQL root password will remain empty. A local user may then obtain access to the MySQL database with full privileges. This update addresses the issue by ensuring that the entered password is saved. This issue does not affect systems prior to Mac OS X Server v10.4. Credit to Ben Low of the University of New South Wales for reporting this issue. Preview CVE-ID: CVE-2006-1452 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Navigating a maliciously-crafted directory hierarchy may lead to arbitrary code execution Description: When navigating very deep directory hierarchies in Preview, a stack buffer overflow may be trigger. By carefully crafting such a directory hierarchy, it may be possible for an attacker to cause arbitrary code execution if the directories are opened in Preview. This issue does not affect systems prior to Mac OS X v10.4. QuickDraw CVE-ID: CVE-2006-1453, CVE-2006-1454 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Viewing a maliciously-crafted PICT image may lead to arbitrary code execution Description: Two issues affect QuickDraw when processing PICT images. Malformed font information may cause a stack buffer overflow, and malformed image data may cause a heap buffer overflow. By carefully crafting a malicious PICT image, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of PICT images. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. QuickTime Streaming Server CVE-ID: CVE-2006-1455 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6 Impact: A malformed QuickTime movie can cause QuickTime Streaming Server to crash Description: A QuickTime movie that has a missing track may cause a null pointer dereference, causing the server process to crash. This causes active client connections to be interrupted. However, the server is restarted automatically. This update addresses the issue by producing an error when malformed movies are encountered. QuickTime Streaming Server CVE-ID: CVE-2006-1456 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6 Impact: Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution Description: By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue. Ruby CVE-ID: CVE-2005-2337 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Ruby safe level restrictions may be bypassed Description: The Ruby scripting language contains a mechanism called "safe levels" that is used to restrict certain operations. This mechanism is most commonly used when running privileged Ruby applications or Ruby network applications. In certain circumstances, an attacker may be able to bypass the restrictions in such applications. Applications that do not rely on safe levels are unaffected. This update addresses the issue by ensuring that safe levels cannot be bypassed. Safari CVE-ID: CVE-2006-1457 Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: Visiting malicious web sites may lead to file manipulation or arbitrary code execution Description: When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched. This update addresses the issue by not resolving downloaded symbolic links. This issue does not affect systems prior to Mac OS X v10.4. Security Update 2006-003 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.6 (PowerPC) The download file is named: "SecUpd2006-003Ti.dmg" Its SHA-1 digest is: f0dcb0dc51add2b51c297a8f416c4c23da67057c For Mac OS X v10.4.6 (Intel) The download file is named: "SecUpd2006-003Intel.dmg" Its SHA-1 digest is: 38ec78604ce11a76d0cf18a78f295a95f74e73ed For Mac OS X Server v10.4.6 The download file is named: "SecUpdSrvr2006-003Ti.dmg" Its SHA-1 digest is: f7236bfc5a910d8cd6c3f9c697ded8156fbd0e59 For Mac OS X v10.3.9 The download file is named: "SecUpd2006-003Pan.dmg" Its SHA-1 digest is: f6985d511581d99eeabfeb9b71da12188494a1e1 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2006-003Pan.dmg" Its SHA-1 digest is: 022cf62fbfc205cf2031c02faa0e62f6fff44c46 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEVAwUBRGKd6ImzP5/bU5rtAQhNXwf/erTiob7F7WBdbO+KFzMTe8mTnj5P8FW1 KL1Mbl7RVZkvGUT6wvV5ezFut0oRNHS1Hjxn8SYiHFYRRaCLcU3BS43tmGFzL2hI uEQoZHlQ1q9sd1fWJdXKbJjQ7xF86FELgpNVr7OKNGWPzzLwAOL0B6msuULNiLi1 +GwAJiTAVtsTSI4ijaCiQiYaLkmpNlgao/DEGUt2TWeTPSRvnJsnsjoMe01g2mlu G9X28q9IH5QLSHZ9yDsMmzFvg/UWzHGRgd8ZFFLjCzyonjHWyO9mFSGAfNvGEQQF bsRa3sdmE5es2QrpcLm/bQdfgA7P8rbR8HlCdjU/tmD+LIFLB+5Bxg== =NvA1 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2006-05-11 QuickTime 7.1
by Apple Product Security 11 May '06

11 May '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-05-11 QuickTime 7.1 QuickTime 7.1 Update is now available. Along with functionality improvements (see release notes), it also provides fixes for the following security issues: CVE-ID: CVE-2006-1458 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted JPEG image may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt JPEG image, an attacker can trigger an integer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of JPEG images. CVE-ID: CVE-2006-1459, CVE-2006-1460 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted QuickTime movie may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt QuickTime movie, an attacker can trigger an integer overflow or buffer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Mike Price of McAfee AVERT Labs for reporting these issues. CVE-ID: CVE-2006-1461 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted Flash movie may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt Flash movie, an attacker can trigger a buffer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. CVE-ID: CVE-2006-1462, CVE-2006-1463 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted H.264 movie may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of H.264 movies. Credit to Mike Price of McAfee AVERT Labs and ATmaCA working through TippingPoint and the Zero Day Initiative for reporting these issues. CVE-ID: CVE-2006-1464 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted MPEG4 movie may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt MPEG4 movie, an attacker can trigger a buffer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of MPEG4 movies. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. CVE-ID: CVE-2006-1249 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted FlashPix image may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt FlashPix image, an attacker can trigger an integer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix images. Credit to eEye Digital Security and Mike Price of McAfee AVERT Labs for reporting these issues. CVE-ID: CVE-2006-1465 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted AVI movie may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt AVI movie, an attacker can trigger a buffer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of AVI movies. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. CVE-ID: CVE-2006-1453, CVE-2006-1454 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted PICT image may result in an application crash or arbitrary code execution Description: Two issues affect QuickDraw when processing PICT images. Malformed font information may cause a stack buffer overflow, and malformed image data may cause a heap buffer overflow. By carefully crafting a malicious PICT image, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of PICT images. Credit to Mike Price of McAfee AVERT Labs for reporting these issues. CVE-ID: CVE-2006-2238 Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000 Impact: Viewing a maliciously-crafted BMP image may result in an application crash or arbitrary code execution Description: By carefully crafting a corrupt BMP image, an attacker can trigger a buffer overflow which may result in an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of BMP images. This issue was originally identified in CVE-2006-1983, but a new CVE name was assigned. QuickTime 7.1 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime site http://www.apple.com/quicktime/ For Mac OS X v10.3.9 or later The download file is named: "QuickTimeInstallerX.dmg" Its SHA-1 digest is: aad183d9b6ec15fe9469672395f35ba3930b37ec For Windows 2000/XP The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: a4ee6d7685781d89d25fb69346461daf9d074478 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEVAwUBRGOzsomzP5/bU5rtAQicxwf9EOul0oOYlpqFs+i2Q+yS4ED+AaUToZ+M 3r+sv9iv2F3X7mwyT1rB80d38chBilni7Tcrkj3jFZomh+woc23SmJX8SY1+ghoE e+buxwqU0AXg4bEAaDOP3IaZVVS17pSe3ZLnrfNTNYuB0j6k7RZTsPOIw9aAhKTq qvheEwYAXxieL6mhECX6xf2AHRHBhp9Yo6nZn6S0kxFQ/RAnr1ZHV6qyl7Cf/G1Q Juivpjp4ULAjNyr2loy9+qpHhX2au621lfCpBnY0BnxUjTlr++zQspBvrZoXw/QC DfruuTeD5WBIPOjrkbWoEpkt1YnhO0rjXf0baISeToTTZ7Wv8lfZOw== =RbLT -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

Apple Product Security New PGP Key
by Apple Product Security 09 May '06

09 May '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In accordance with established policy, we update the Apple Product Security PGP key once a year. Key information is available from our web site at: http://www.apple.com/support/security/pgp/ Here is our new PGP key which is effective immediately and valid until May 15, 2007. Key ID: 0xDB539AED Key Type: RSA Expires: 5/15/07 Key Size: 2048/2048 Fingerprint: 4B55 5F62 FAE8 BC41 BA9A 4D70 89B3 3F9F DB53 9AED UserID: Apple Product Security - -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBERb1uMBCADfktagAmsjCVhM4w4T1ybVrqEb6pGwWIDGz5yGTLskuaJx6zTW WEuj+XDhYFb0eAEOULgen6fEybh+btFM3Y9zITS/03Xd4DmBxHdBryhjchho+pk0 itCjgLu02NBlu094kyTnY/VFjYBMaEP/51XsKCxtmpyOcAU1Fa2SB9kjnNjJxCT1 8cazBfDkoPYQZnngCe7YsQoU749uugAjnzgcHTurO/iUOdOMrboidKjEjoDzeHWN wDqsCiPQ9DRwGkG72WXXKp+iYisxJmr08GpW6pN97EJMGtLl38iKEidqUJmO8AP3 VkiaJ07De7URqf82VUNferHZQsDT3FiU8qptABEBAAG0M0FwcGxlIFByb2R1Y3Qg U2VjdXJpdHkgPHByb2R1Y3Qtc2VjdXJpdHlAYXBwbGUuY29tPokBjgQQAQIAeAUC RFvW/gUJAe5igDAUgAAAAAAgAAdwcmVmZXJyZWQtZW1haWwtZW5jb2RpbmdAcGdw LmNvbXBncG1pbWUHCwkIBwMCCgIZARkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29t BRsDAAAABBYDAgEFHgEAAAAEFQgJCgAKCRCJsz+f21Oa7b55B/0d6SXM6zS/FKKr AYdhDqaGMJSFWiv0Ihf/R0iOHvIDCBAiAdJm91MHMALBIMEXxWEsMiELXxNm2/Gm 4ci6WqVpddzEn0KEkqSJlkoLIMKvcNJGCu5dZObMLmDKp5APgWMrkxJcJPFJc9Kh diHgKSI0a+xgoDFSLrlak442kWdP4RgUGFXFQmVR6OV/J0yE90HYcVzRUnVi7gVn /zkK+xuIZw1fVnsg3oupdTisAjvODp0jQwDuAgr9+08z8HayqvGiKvELlzURLrmI vWV7qEweS9XF8Rs2gVIW79I3cOpRXhDfCKUweBMuyb48WubDt1V9HnsWUbbSYaYx d7sq7O0siQEVAwUQRFvXmYHaV5ucd/HdAQKIUAgAl+sE8IHpXLFEP3Qwz6QY6mhW EZd3LQu7r9Bk7Z+1owcuYqqZHWI35IWsXgbshYHzLkR0SY7XVmnlTS5V2ZY8frRz Quq9UoFmi1a7WEJLEPMcUMAuJTnGV6zIFfI/APYFKI3JyhEqfP+Xy/Iu1HJ00XeU j63K9Lkb8q9bSEB+QO8KHwU9eYq9Cnzl2pAgnTO6MiLiFF+pxJpmIHKE6gVyo4Cx ZVHWb7nER9Rz9nU6D3JbKrbvOAbmhX5TvccOurhtgse3dEQGelOYN9M8sDuzA9xs 7ZIL3lnABp50fSfw9bGOzGT+gpLITa8aBbnxz2RmQjFHEuHnklmt90mAIcsrVLkB DQREW9bkAQgA2swvuaG/11H5375MO9Vyeq2Dlj3pk07GgMhEOAd4FytWOZT0e518 anGok0T2wFsWlLGIAsuDRDBHK07tvFamWDcx9gwrM09k4oBu6GnEeC4xNJOFSdnM izSMayaa/YX058PFxyu6d43edGo9KNbxWY01GhwNQnjGnQG+02tvOm4abZHoyJp5 5eFEGHwNDFcbGx843PMGnqlaMggZxe1S3rkV6SPHZDavnUgIRNDs1LdKqwVLJV5c /bF2oIuceHGDK/Zek7mRsAE3brCOCWuonDD+/BeZfnWUVf22S3E/Xu++YuUswNjE BRuv7S2Ma6Y9Kg4sAaj3Df4F77DR5BZt/QARAQABiQEoBBgBAgASBQJEW9bkBQkB 7mKABRsMAAAAAAoJEImzP5/bU5rtRIUH/0PwGgcw7A59rGKBShyLKu2/b2xZ9Rd4 phdOHOKwibjfRZbUGgZ47EOAhj1h7F3+W6P2z9C5fzn/O+pzz9zSf8QptcURTGWt AiD6X5JFBft0G4zjB2iWKk0QlHzkVDwCg63EEZ0lDHxSsGX9/tMS+W1qjwPDIr6o lEzNqWTT0+jeDCU1KwTS9gEeupdP0f+ndqx4jrtnPAeq98Uk6R9Iz8rTAWnmOWfv D2/lXQ5aQESzXKNwULm1gTI2DYNkkL41GfP31pCp3sIJyJFZ5Ibq+IyZ2G7oe2iK EFBnz/qHZ+vdxv2mliq5NpJvrs1NGxM03pRI93IUlgLQt0jKyn904kg= =nNX4 - -----END PGP PUBLIC KEY BLOCK----- This message is signed with the current key, which can be obtained from: http://www.apple.com/support/security/pgp/archive/ Apple Product Security team http://www.apple.com/support/security/ -----BEGIN PGP SIGNATURE----- iQEVAwUBRF/Mj4HaV5ucd/HdAQJhNgf/TlgP9ElkQ5nm2Gb2l/4yFqeHahXGO+AG SoUnkZ4qPQk0ObHzElMHjlsrg13ySqk/oM2ypq1+N0U2TIyRqGQI2K6+uUrhqBfv ArsRUbPp1RUdeGSnpjxiuI5aU1igzrR2xChbPRoNJtUeB/vI9wFhJDNQH0Na+MQo acThzFsxTLBTjRsORgI2nXkgNCYUHwh1WuX9Mk2X54jmo5zIoaJ1yK21P6t4GUIP QviTCxQQGuiMZJwC8t37s111+GfwEkO2Ya4iIEnI+8Uy8gelWhyq79k1aQQCVFyy aATNfqRQgmNEsFRXDFVm9MMswXrUY8208lPbr9xo3Rq/df8ZMybY+w== =+Av8 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0