site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-09-24 Java for Mac OS X 10.4, Release 7 Java for Mac OS X 10.4, Release 7 is now available and addresses the following issues: Java CVE-ID: CVE-2008-3637 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue. Java CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1195, CVE-2008-1196, CVE-2008-3104, CVE-2008-3107, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in Java 1.4.2_16 Description: Multiple vulnerabilities exist in Java 1.4.2_16, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.4 to version 1.4.2_18. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html Java CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, CVE-2008-3103, CVE-2008-3104, CVE-2008-3107, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in Java 1.5.0_13 Description: Multiple vulnerabilities exist in Java 1.5.0_13, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.5 to version 1.5.0_16. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html Java for Mac OS X 10.4, Release 7 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: "JavaForMacOSX10.4Release7.dmg" Its SHA-1 digest is: 67d17ba3e854101d890633f507b4c02e031b3a05 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.2.1608 wsBVAwUBSNqB2XkodeiKZIkBAQhswAf9HjX4OrjGRfffZXnu0JXOuXxQ39mOCV+3 89Bm8A5P7dthlYdD3dV3d3qlxZ9lg33XE9n+900X0JkBMKF6RSzMBiEo2+Alhi/d LrsDlyDyQke4MkuoRmqT/TglUBfaYVAZt8RAMwRH6hyDMzXSnFBTpwbxQQg09weB jwpuPVaucUZ9sNkYlY1qKXnLojPRNFJhmcpd2RZvZme7cCbosdGwnkagF6vRZOhl jtFvA868zXlu2T2ygIlA9iARb03sgh9v9kSY9ovKP0mgpL8pEK+VgAIz6PPn/kU/ NfuAGNN733wsMsInmHvouvI1rba9I11MkyMjoqZtEX+I1DhKXH0ydA== =r2fK -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com