site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-08-09 Security Update 2006-004 for Mac Pro "Security Update 2006-004 for Mac Pro" is now available. Security Update 2006-004 was released on August 1, and details are available via: http://docs.info.apple.com/article.html?artnum=304063 The new Mac Pro product ships with Mac OS X v10.4.7 Build 8K1079. Also, the existing Xserve hardware is now shipping with Mac OS X Server v10.4.7 Build 8K1079. The fixes provided in Security Update 2006-004 (August 1 release) are contained in Build 8K1079, with the exception of the ones listed below for ImageIO and OpenSSH. The fixes for these issues were not fully tested in time for the manufacturing of the Mac Pro, and are being provided via this security update. This update is a proper subset of the full Security Update 2006-004 released on August 1. Existing systems that have already applied Security Update 2006-004 (Aug 1 release) do not need to install this update. The following security fixes are provided only for systems running Mac OS X v10.4.7 Build 8K1079 or Mac OS X Server v10.4.7 Build 8K1079 to reach the full security level provided with Security Update 2006-004 (August 1 release). ImageIO CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465 Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server v10.4.7 Build 8K1079 Impact: Viewing a maliciously-crafted TIFF image may lead to an application crash or arbitrary code execution Description: Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis Ormandy, Google Security Team for reporting this issue. Note: A fifth issue discovered by Tavis Ormandy, CVE-2006-3460, does not affect Mac OS X. OpenSSH CVE-ID: CVE-2006-0393 Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server v10.4.7 Build 8K1079 Impact: When remote login is enabled, remote attackers may cause a denial of service or determine whether an account exists Description: Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. This update addresses the issue by properly handling attempted logins by nonexistent users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting this issue. "Security Update 2006-004 for Mac Pro" may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For both Mac OS X v10.4.7 Build 8K1079 and Mac OS X Server v10.4.7 Build 8K1079: The download file is named: "SecUpd2006-004.dmg" Its SHA-1 digest is: e11014106e79277057c5c54b555ed163703ea8c0 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRNo3ZImzP5/bU5rtAQgHtgf+IIuysGUv5SQSLXuZm7P5AFbm0ZWRYHzU sDxRgexjeoBmqOa2Ex7CrvrC6Xjr/N8qdceTYCQbmxELDi0+tHv5rGhAhfVslJAt QZuONI5bQHgb7LEEN2lmuWnk9fNtn96x9jmCpBQBiz2+ez8U5ws3L9AREddiQnEy Xnd8IV66BbqGpv+O2wkrpkFTdp/7sb8dS+zO9YERUT9FxIKe9V/Y6SocevmFlgGM /BNHPPLTTSdoQpmrRncdY11oSXL2ut7rS956IQYWKfI7WMD8dC51UMYFjVatJ4+C SjnngUB8lMn4/6Zjj9Jt6t3QWs5Y9DYISDVVfGkigNb6kIqk073Iiw== =nMCx -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com