-----BEGIN PGP SIGNED MESSAGE----- APPLE-SA-2003-02-14 Mac OS X 10.2.4 client Mac OS X 10.2.4 client Software Update may be obtained from: * Software Update pane in System Preferences - OR - * Apple's Software Downloads web site: Updating from Mac OS X 10.2.3: http://www.info.apple.com/kbnum/n70167 The download file is named: "MacOSXUpdate10.2.4.dmg" Its SHA-1 digest is: a54695d21f1162bd453d2f9a3b02176cae8c8777 Updating from Mac OS X 10.2, 10.2.1, or 10.2.2: http://www.info.apple.com/kbnum/n70168 The download file is named: "MacOSX10.2.4Combined.dmg" Its SHA-1 digest is: 0b377141c1cd11d303a72ce3fac5170d2e02cf3b Information is also posted to the Apple Support web site: http://docs.info.apple.com/article.html?artnum=61798 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPk1CwyFlYNdE6F9oAQH+Jgf/dB72A3cb+cz2It8jKRR2vrx/WLqeWjMG DF7757xPTfDLG1oc4Nqd1lGdcoI19rhYyY86avnr6yykIr+gFz27Yujz48fgvIdL OMBD66wV+Ohq5jwB19baJu3pq+TCDlsRg//bhKsvE7izdtahlXdIDnSYJDUUb0Nl yMtu6jyoHPcxJAUUVEgG4vYuiVKnD4ZGGkKoS4tPNe2BAz0kw7lrr70edEGn/EA2 ZWl+LQ7AFBnxCm2NAeJ3BA+SyjrPw3/atNLaJCfQTi+UoA3OT/EET/PcMNosQaMG 7pYbachVjVHext8B9GmAy02NyoKjV/sFn0AVjV2w0NgJp9YW/sBBzw== =gmkJ -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored. Mac OS X 10.2.4 client Software Update is now available. It contains fixes for the following potential security issues: * Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, could permit a denial of service attack and possibly allow execution of arbitrary code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address CAN-2002-1165 . * AFP: Fixes CAN-2003-0049 "AFP login permissions for the system administrator". Provides an option whereby a system administrator may or may not be allowed to log in as a user, authenticating via their admin password. Previously, administrators could always log in as a user, authenticating via their own admin password. * Classic: Fixes CAN-2003-0088 , where an attacker may change an environment variable to create arbitrary files or overwrite existing files, which could lead to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for discovering this issue. * Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318 , an issue in Samba's length checking for encrypted password changes. Mac OS X currently uses Directory Services for authentication, and does not call the vulnerable Samba function. However, to prevent a potential future exploit via this function, the patch from Samba 2.2.7 was applied although the version of Samba was not changed for this update release. Further information is available from: http://samba.org/samba/whatsnew/samba-2.2.7.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html