site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2006-11-16 Apple Remote Desktop 3.1 Apple Remote Desktop 3.1 is now available. Along with functionality improvements (see release notes), it also fixes the following security issue: Apple Remote Desktop CVE-ID: CVE-2006-4413 Available for: Apple Remote Desktop 3.0 Impact: Malicious local users may be able to modify packages used to install or upgrade client systems Description: Apple Remote Desktop includes built-in packages used to install and upgrade client systems. The permissions on these packages could allow them to be altered by malicious local users on Apple Remote Desktop admin systems. This could lead to the execution of arbitrary commands with root privileges on client systems when Apple Remote Desktop client software is installed or upgraded. This issue has been addressed by applying more restrictive permissions on the built-in installation packages. Credit to Andrew Mortensen of the University of Michigan for reporting this issue. Apple Remote Desktop 3.1 may be obtained from: http://www.apple.com/support/downloads/ For Apple Remote Desktop Client The download file is named: "RemoteDesktopClient.dmg" Its SHA-1 digest is: 5747716690703dc6655a2882ebba77424c661650 For Apple Remote Desktop Admin The download file is named: "RemoteDesktopAdmin310.dmg" Its SHA-1 digest is: b86f7fb03253c70e3cf33f6ce6c8c1491daae0a7 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEVAwUBRVzXVImzP5/bU5rtAQJyUQf/bBE1y/LJ3aMACIhTxBEdNK0B3D6EmdJs 7JU4bTjeZiTXKHwQkVHmSJkDu4EWYv29kcBI1r2cNMEQhZjOhfLV/YcdYnQY4wcT RxQgvAnaWZchaWSTywFEJJL9ORQIihw5JUoaPAco+GU7ZCW3+nG13/oZ0+JwijgW Ps8eQWWMOwzqURxyQmIpfJ3EhhKhpCgox19mD8CuHcsXOYLYA914lF0+ryIj52ko dqcTrBPhs4Qu1ScShVHXYitiycpBHkQCvRgVryVbMbQ5oNCFpJrPWtPrQ8tQDRXL xA56xKr1pYkieRcNGY4bmmE5fkvekBk8MaBEY2eAIsNUsMjtNhB0cg== =T+cu -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com