site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2006-03-13 Security Update 2006-002 Security Update 2006-002 is now available and addresses the following issues: CoreTypes CVE-ID: CVE-2006-0400 Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Remote web sites can cause JavaScript to bypass the same-origin policy Description: When documents containing Javascript are loaded from a remote site, data access is restricted by the same-origin policy. However, under certain situations, maliciously-crafted archives can cause these restrictions to be bypassed. This update addresses the issue by flagging these documents as unsafe. Mail CVE-ID: CVE-2006-0396 Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Double-clicking an attachment in Mail may result in arbitrary code execution Description: By preparing a specially-crafted email message with attachments, and enticing a user to double-click on that attachment within Mail, an attacker may trigger a buffer overflow. This could result in the execution of arbitrary code with the privileges of the user running Mail. This issue addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue. Safari, LaunchServices, CoreTypes CVE-ID: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399 Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Viewing a malicious web site may result in arbitrary code execution Description: Security Update 2006-001 addressed an issue where Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened. This issue does not affect systems prior to Mac OS X v10.4. Credit to Will Dormann of CERT/CC and Andris Baumberger for reporting several of these issues. The following non-security issues introduced by Security Update 2006-001 are also addressed by this update: * Download Validation: Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, or folders containing custom icons. These unneeded warnings are removed with this update. * apache_mod_php: A regression in PHP 4.4.1 that could prevent SquirrelMail from functioning is corrected with this update. * rsync: A regression in rsync that prevented the "--delete" command line option from functioning is corrected with this update. Security Update 2006-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5 The download file is named: "SecUpd2006-002Ti.dmg" Its SHA-1 digest is: 39a36533b1fa33ed742e7cca07f120be8d7e292f For Mac OS X v10.4.5 (Intel) The download file is named: "SecUpd2006-002Intel.dmg" Its SHA-1 digest is: b9d2aa318161c7d1a5e4b7977577447d9077b2cf For Mac OS X v10.3.9 The download file is named: "SecUpd2006-002Pan.dmg" Its SHA-1 digest is: 1dbc1e4ce152f00b4ffd49d10eb2191210a2edc9 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2006-002Pan.dmg" Its SHA-1 digest is: 10226cd44c78976ea30fbe9e5bc6db07fe67c305 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.5 (Build 5050) iQEVAwUBRBm3koHaV5ucd/HdAQIeoQf/cLDZnIgwyPCFi5JakwWLXnFynTJG2vq4 tTygyeuItm2DDg/iQoPzfYNlZ/LEIqGN85HjzbBqmz6lW7COwhwvO4l7mst6nVTh GAzT+cNGQz4ljvVq/VNR0mUcb3+dYyR3FubtaFlVGGHLvtOJitzyyyLyiojRpx+7 A74jiJ56O/kBgF8pCWtNXNJ4r3R9RpW77v3lrGLJnzC5EsYJNvP43lZIxirwZdsT Nh/o+AdHLmvi7IG2ImbTrz4hgmErX5FLZO9ZkPEh9KNRZJd/UDYTy8cmDzWRo9BB DKc7QPr8KARXO9yuMSKqqxmH4abBB9b/eqxM1gUiF4yYiFSdWELBJA== =2ufX -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com