-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mac OS X 10.2.5 is now available. It contains fixes for recent vulnerabilities in: Apache 2.0: Fixes CAN-2003-0132, a denial of service vulnerability in Apache 2.0 versions through 2.0.44. Apache 2.0 is distributed only with Mac OS X Server, and is not enabled by default. Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege Escalation and DoS Attack. DirectoryServices is part of the Mac OS X and Mac OS X Server information services subsystem. It is launched at startup, setuid root and installed by default. It is possible for a local attacker to modify an environment variable that would allow the execution of arbitrary commands as root. Credit to Dave G. from @stake, Inc. for the discovery of this vulnerability. File Sharing/Service: Fixes CAN-2003-0198 where the contents of the write-only DropBox folder can be revealed. When enabled, Personal File Sharing on Mac OS X or Apple File Service on Mac OS X Server, a "DropBox" folder is available by default to allow people to deposit files. This update no longer allows the permissions of the "DropBox" folder to be changed by a guest. OpenSSL: Fixes CAN-2003-0131 Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding. The patch from the OpenSSL team, which addresses this vulnerability, is applied to Mac OS X and Mac OS X Server. Samba: Fixes CAN-2003-0201 which could allow an anonymous user to gain remote root access due to a buffer overflow. The built-in Windows file sharing is based on the open source technology called Samba and is off by default in Mac OS X. sendmail: Fixes CAN-2003-0161, where address parsing code in sendmail does not adequately check the length of email addresses. Only the patch from the sendmail team is applied to the currently-shipping version of sendmail in Mac OS X and Mac OS X Server. System requirements: Mac OS X 10.2.x (Jaguar) Mac OS X 10.2.5 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: Updating from Mac OS X 10.2.4: http://www.info.apple.com/kbnum/n120210 The download file is titled: MacOSXUpdate10.2.5.dmg Its SHA-1 digest is: 1f98f9a21c3f17be823e2d63d90e534df01b3fdf Updating from Mac OS X 10.2 through 10.2.3: http://www.info.apple.com/kbnum/n120211 The download file is titled: MacOSXUpdateCombo10.2.5.dmg Its SHA-1 digest is: a8ed6287d5bd0bdf67a2c0fd97b3af810f178d21 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQEVAwUBPpXlHSFlYNdE6F9oAQL5jQgAqO0DtOshSaHn2QwG4FIRdXV5VXlNPlr6 5mFDD+yqZET+YZh18/poEZfoyHlpIxkCRIMF/BniArWtf+IQvW1UHQP1zg8IE9hD PCknve/tSCGuL8FojGvDQ6zmZlXqo6Qh0xQ2vixdCdg0MNKsJrLVrLYb9/2CS9l2 5rKOl73IMluMDQNESKHL1GMeUWkcCbyzSR8fR1aLYf4smMqeSoEpv/ILPeckMsbg ZjpgNOQ53d7Z3b/f5DCqvM4CuOtZ1RIoADHDYNfftcWYzyXLkQqFFzJsoLhQbWnZ 8XLEM+VeLoRI/0PGnHkTONnBW1Xrer0dQM8GLPfcs+P3rb7STBt/zQ== =GL5H -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored.