site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-05-12 Safari 4 Public Beta Security Update Safari 4 Public Beta Security Update is now available and addresses the following: libxml CVE-ID: CVE-2008-3529 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in libxml's handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is addressed in Safari 3.2.3. Safari CVE-ID: CVE-2009-0162 Available for: Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Accessing a maliciously crafted "feed:" URL may lead to arbitrary code execution Description: Multiple input validation issues exist in Safari's handling of "feed:" URLs. Accessing a maliciously crafted "feed:" URL may lead to the execution of arbitrary JavaScript. This update addresses the issues by performing additional validation of "feed:" URLs. These issues do not affect systems prior to Mac OS X v10.5. These issues are addressed in Safari 3.2.3. Credit to Billy Rios and Microsoft Vulnerability Research (MSVR), and Alfredo Melloni for reporting these issues. WebKit CVE-ID: CVE-2009-0945 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is addressed in Safari 3.2.3. Credit to Nils working with TippingPoint's Zero Day Initiative for reporting this issue. Safari 4 Public Beta Security Update is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari for Mac OS X v10.5.7 The download file is named: Safari4.0BetaSecUpdateLeo.dmg Its SHA-1 digest is: ebce612f58cd938a6f2033d449be2e1fd4ca51c6 Safari for Mac OS X v10.4.11 The download file is named: Safari4.0BetaSecUpdateTiger.dmg Its SHA-1 digest is: 7f8bf60d28343bb49c8c6995da4980947032ed0e Safari for Windows XP or Vista The download file is named: SafariSetup.exe Its SHA-1 digest is: 9d055956145d09003d1adf2e16dc98aa7c261c81 Safari+QuickTime for Windows XP or Vista The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 666f8ed271700cfcaa0ddba533d5a949db22a2b9 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJKCbD8AAoJEHkodeiKZIkBivgH/3+23YDfFzSJDyANYXAo7CFh rhT3DXPUU3P0XjM1jhIM0MKTxJQ4F63o/9OzPwWDj9X0rOFJllPg2XrWr2pbnRkc 73ujS9Tbwfris6Uv2Zx/TYQLd/lQeJZ4/5sy97e1jmQZ4YaFr1CsbcrTX7cXiZC1 r7pcx9hutoAzwfqBssgx8VZDhzERXE8kWo/CvdLmnRqe2yu3r1raNV28jUyHE+ZK 2ceJrv47E9pQMTjYd8NRBhBGjxjl4z9ZklGr5aIJWMZWn4hZrg4XeMTi9IPSgD+A l1CW9nJdNZP+VbbthGucGyPygGcwCYAqJFXR28MuXRPzg8aG0g66lXyotJEpJio= =HEkR -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com