site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-11-28 Security Update 2006-007 Security Update 2006-007 is now available and provides fixes for the following security issues: AirPort CVE-ID: CVE-2006-5710 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Attackers on the wireless network may cause arbitrary code execution Description: A heap buffer overflow exists in the AirPort wireless driver's handling of probe response frames. An attacker in local proximity may be able to trigger the overflow by sending maliciously-crafted information elements in probe responses. This issue affects eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card. This issue does not affect systems with the AirPort Extreme card. This update addresses the issue by performing additional validation of probe response frames. Credit to H D Moore of Metasploit for reporting this issue. ATS CVE-ID: CVE-2006-4396 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Local users may be able overwrite or create files with system privileges Description: The Apple Type Services server insecurely creates error log files. As a result, a malicious local user may be able to overwrite or create files with system privileges. This update addresses the issue by creating error logs securely. ATS CVE-ID: CVE-2006-4398 Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Local users may be able to run arbitrary code with raised privileges Description: Multiple buffer overflows were discovered in Apple Type Services server. By sending a maliciously-crafted service request, a local user may trigger these overflows. This may lead to a crash or arbitrary code execution with system privileges. This update addresses the issue by performing additional validation on service requests. This issue does not affect systems prior to Mac OS X v10.4. ATS CVE-ID: CVE-2006-4400 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Viewing maliciously-crafted font files may lead to arbitrary code execution Description: The Apple Type Services server contains a stack buffer overflow in font processing. By carefully crafting a corrupt font file, an attacker can trigger the buffer overflow which may lead to a crash or arbitrary code execution with system privileges. Font files are processed when opened or previewed in Finder. This update addresses the issue by performing additional validation of font files. CFNetwork CVE-ID: CVE-2006-4401 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Visiting FTP URIs may inject arbitrary FTP commands Description: By enticing a user to access a maliciously-crafted FTP URI, an attacker can cause the user's FTP client to issue arbitrary FTP commands to any accessible FTP server, using the credentials of the victim. This issue may also facilitate attacks of other line oriented protocols, such as SMTP. This update addresses the issue by performing additional validation of URIs. ClamAV CVE-ID: CVE-2006-4182 Available for: Mac OS X Server v10.4.8 Impact: Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution Description: ClamAV is updated to version 0.88.5 to address several security issues. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV. Further information is available on the ClamAV project web site (www.clamav.net). Finder CVE-ID: CVE-2006-4402 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Browsing a shared directory may lead to an application crash or arbitrary code execution Description: A heap buffer overflow may be triggered when the Finder is used to browse a directory containing a corrupt ".DS_Store" file. By enticing a user to browse a directory containing a maliciously-crafted ".DS_Store" file, an attacker may be able to trigger the overflow. This could lead to an application crash or arbitrary code execution with the privileges of the user running Finder. ".DS_Store" files may be included in archives, on disk images, and on network file systems. This update addresses the issue by performing additional validation of ".DS_Store" files. ftpd CVE-ID: CVE-2006-4403 Available for: Mac OS X v10.3.9 Impact: When FTP Access is enabled, unauthorized users may determine account name validity Description: When attempting to authenticate a valid user, the FTP server may crash during a failed login attempt. The crash does not occur when attempting to authenticate unknown users. This behavior can be used to determine if an account name is valid. This issue is addressed by resolving the crash condition. FTP Access is not enabled by default. Mac OS X Server v10.3.9, Mac OS X v10.4, Mac OS X Server v10.4, and later systems are not affected. Credit to Benjamin Williams of the University of Canterbury for reporting this issue. gnuzip CVE-ID: CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Uncompressing a file with gunzip may lead to an application crash or arbitrary code execution Description: By carefully crafting a malicious compressed file, an attacker may be able to trigger any of several vulnerabilities in gunzip when the file is processed. The most severe of these issues could lead to an application crash or arbitrary code execution. Many applications use the gunzip command for decompression, including command-line tools such as tar and services such as Mail Server. This update addresses the issue by performing additional validation of compressed files. Credit to Tavis Ormandy of the Google Security Team for reporting this issue. Installer CVE-ID: CVE-2006-4404 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: When installing software as an Admin user, system privileges may be used without explicit authorization Description: Admin users are normally required to authenticate before executing commands with system privileges. However, the Installer allows system privileges to be used by Admin users when installing certain packages without requiring authentication. This update addresses the issue by requiring authentication before installing software with system privileges. OpenSSL CVE-ID: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339, CVE-2006-4343 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Multiple vulnerabilities in OpenSSL Description: OpenSSL is updated to version 0.9.7l to address several critical vulnerabilities. The most severe of these vulnerabilities may lead to impersonation of services using SSL or TLS, or to arbitrary code execution. Further information is available via OpenSSL advisories at http://www.openssl.org/news/ vulnerabilities.html. perl CVE-ID: CVE-2005-3962 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Perl applications with unsafe string handling may be vulnerable to arbitrary code execution Description: An integer overflow exists in Perl's format string functionality. This integer overflow may lead to arbitrary code execution in Perl applications which use format strings unsafely. This update addresses the issue by performing additional validation of uses of format strings. PHP CVE-ID: CVE-2006-1490, CVE-2006-1990 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: PHP applications may be vulnerable to denial of service or arbitrary code execution Description: PHP is updated to version 4.4.4 to address several security issues in the Apache module and scripting environment. Applications using affected APIs may be vulnerable. The most severe of the vulnerabilities may lead to arbitrary code execution. Further information is available on the PHP project web site (www.php.net). PHP CVE-ID: CVE-2006-5465 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: PHP applications may be vulnerable to arbitrary code execution Description: Buffer overflows exist in the htmlentities() and htmlspecialchars() functions. These buffer overflows may lead to arbitrary code execution in applications using the affected APIs. This update addresses the issue by performing additional validation of input to the affected APIs. PPP CVE-ID: CVE-2006-4406 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Using PPPoE on an untrusted local network may lead to arbitrary code execution Description: When PPPoE is enabled, an attacker on the local network may be able to trigger a buffer overflow. This could lead to a system crash or arbitrary code execution with system privileges. This update addresses the issue by performing better validation on PPPoE traffic. PPPoE is not enabled by default. Credit to the Mu Security research team for reporting this issue. Samba CVE-ID: CVE-2006-3403 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: When Windows Sharing is enabled, remote attackers may cause a denial of service Description: The list of active connections tracked by Windows Sharing may grow unbounded. An attacker may be able to create many connections, leading to memory exhaustion and a denial of service. This update addresses the issue by limiting the number of active connections. Windows Sharing is not enabled by default. Security Framework CVE-ID: CVE-2006-4407 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Secure Transport may not negotiate the best cipher available Description: Secure Transport provides the ability to encrypt and authenticate data using several ciphers. When a connection is made, the best mutually-supported cipher should be used. Due to the order they are evaluated, it is possible for Secure Transport to use a cipher that provides no encryption or authentication when better ciphers are available. This update addresses the issue by giving priority to better ciphers. Applications using Secure Transport through CFNetwork, such as Safari, are not affected by this issue on systems with Security Update 2006-006 or later. This issue does not affect systems using Mac OS X v10.4.8 and later. Credit to Eric Cronin of gizmolabs for reporting this issue. Security Framework CVE-ID: CVE-2006-4408 Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Processing X.509 certificates may lead to a denial of service Description: It is possible to create an X.509 certificate containing a public key that could consume a significant amount of system resources during signature verification. An attacker may cause a system to process such a certificate, leading to a denial of service. This issue does not affect systems prior to Mac OS X v10.4. Credit to Dr. Stephen N. Henson of Open Network Security for reporting this issue, and to NISCC for coordinating. Security Framework CVE-ID: CVE-2006-4409 Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: When using an HTTP proxy, certificate revocation lists cannot be retrieved Description: On systems that are configured to use an HTTP proxy, the Online Certificate Status Protocol (OCSP) service is unable to retrieve certificate revocation lists. This update addresses this issue by using the system proxy settings in ocpsd. This issue does not affect systems prior to Mac OS X v10.4. Credit to Timothy J. Miller of the MITRE Corporation for reporting this issue. Security Framework CVE-ID: CVE-2006-4410 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Certain revoked certificates may be erroneously honored Description: The revocation list from an issuing authority may not be consulted for certain leaf certificates. This update addresses the issue through improved handling of the certificate revocation list. This issue does not affect Mac OS X v10.4.7 and later systems. Credit to Jose Nazario of Arbor Networks for reporting this issue. VPN CVE-ID: CVE-2006-4411 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Malicious local users may gain system privileges Description: Under certain circumstances, the VPN server may execute commands without properly cleaning the environment. This may allow a malicious local user to create files or execute commands with system privileges. This update addresses the issue by ignoring the user's environment when executing commands. WebKit CVE-ID: CVE-2006-4412 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Visiting a malicious web site may lead to arbitrary code execution Description: A maliciously-crafted HTML document could cause a previously deallocated object to be accessed. This may lead to an application crash or arbitrary code execution. This update addresses the issue by properly handling such documents. Credit to Tom Ferris of Security-Protocols for reporting this issue. Security Update 2006-007 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.3.9 The download file is named: "SecUpd2006-007Pan.dmg" Its SHA-1 digest is: b4c9190964cf4f9f674ab7f8cbd2c1cbe196cb2d For Mac OS X v10.4.8 (PowerPC) The download file is named: "SecUpd2006-007Ti.dmg" Its SHA-1 digest is: 994b13d0c36b18f3d30e2c0849b023393d714ef6 For Mac OS X v10.4.8 (Intel) The download file is named: "SecUpd2006-007Intel.dmg" Its SHA-1 digest is: a90bf763dc381f61839d6f55cdf3d5dd710d327f For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2006-007Pan.dmg" Its SHA-1 digest is: 4bd756bfa7b1fe927d34fc7a377a4b010008b866 For Mac OS X Server v10.4.8 (PowerPC) The download file is named: "SecUpdSrvr2006-007Ti.dmg" Its SHA-1 digest is: 0fa7e1041dd5a61393996a09081190d3343d7f34 For Mac OS X Server v10.4.8 (Universal) The download file is named: "SecUpdSrvr2006-007Universal.dmg" Its SHA-1 digest is: b9987a0fa591ccfd467b1ebec85367b140b8d789 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRWx614mzP5/bU5rtAQhAIAgAgpBJxCJUvam2CovJzeixdUXM8lKuzhXy t4H3m98YPbku+5WHIUNSgzgWZsLTEhgm1b0IjkEwdLGO3Zl3B11q+GknUadmgINT P/yvpyfxxDwkYkqqZD6yYgyRnWGk6kD9/1MR4h0wz3FBncH5qbjsj7pZrQN8Ittn PTDGAhb4aMBm/6paoewyuaH+kRo7cOFrcZbpmIZxdO/+ZdNbL8lqGXjrPoKhRe4P lHoFmX4wMbTn2UG8Mh8K1Fg8FI3g2/yQ2l6zPHR4Kw7t+GAtAd7o/wDJb9NKhM1k yQkINZBTEEoiK6cGbyqfFXZ+B3UHZkSMZAVOHXPynoxAd1qqXEncnA== =Kh3j -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com