-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised Mac OS X 10.2.8 has been re-posted, and it is updated to address issues discovered with certain system configurations. The security enhancements in Mac OS X 10.2.8 are identical between the first release and the one now available. ================================================ This note describes all security enhancements in Mac OS X 10.2.8, with the following new information: * Security enhancements for OpenSSL (details below) have been recently announced, and we can now disclose the presence of these enhancements in Mac OS X 10.2.8. * The latest release of Mac OS X 10.2.8 includes support for PowerMac G5 systems. The initial 10.2.8 release only applied to PowerMac G4 systems. * A Sendmail workaround for Mac OS X 10.1.x systems is described below. ================================================ Mac OS X 10.2.8 contains security enhancements for the following: OpenSSL: Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address potential issues in certain ASN.1 structures and in certificate verification code. To deliver the update in a rapid and reliable manner, only the patches for the CVE IDs listed above were applied, and not the entire latest OpenSSL library. Thus, the OpenSSL version in Mac OS X 10.2.8, as obtained via the "openssl version" command, is: OpenSSL 0.9.6i Feb 19 2003 OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack. To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is: OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code. arplookup(): Fixes CAN-2003-0804. The arplookup() function caches ARP requests for routes on a local link. On a local subnet only, it is possible for an attacker to send a sufficient number of spoofed ARP requests which will exhaust kernel memory, leading to a denial of service. Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing. ================================================ How to install Sendmail for Mac OS X 10.1.5 systems: - - From the UNIX command-line, perform the following steps: 1. Download sendmail version 8.12.10 which contains the fix to the Zalewski advisory, released on 2003/09/17, by executing the following command: curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz 2. Verify the integrity of this file by typing: cksum sendmail.8.12.10.tar.gz which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz" 3. Unpack the distribution as follows: tar xvzf sendmail.8.12.10.tar.gz 4. Add the following line to your /etc/master.passwd file: smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false 5. Add the following line to your /etc/group file: smmsp:*:25: 6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the same smmsp user and group entries to your netinfo database. The easiest way is to duplicate existing entries and edit them to match the entries in steps 4 and 5. For example, in the users pane you could select and the duplicate (%D) the entry for "www" and then edit the uid/gid/name/home directory fields in the new "www copy" to match those in step 4. Similarly, for groups you could select the entry for "mail" and duplicate it, editing just the name and gid fields to match those in step 5. When you're done, you should see a users/smmsp entry and a groups/smmsp entry. 7. Now you're ready to start building the distribution. cd to the sendmail-8.12.10 directory and type "make" 8. The next two steps will install the new sendmail: sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8 sudo make install Make sure the permissions on your root directory are 755 (or set DontBlameSendmail in /etc/mail/sendmail.cf) and reboot. You should now be running the patched sendmail. ================================================ Mac OS X 10.2.8 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: PowerMac G4 systems =================== Mac OS X Client (updating from 10.2 - 10.2.5): http://www.info.apple.com/kbnum/n120244 The download file is named: "MacOSXUpdateCombo10.2.8.dmg" Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82 Mac OS X Client (updating from 10.2.6 - 10.2.7): http://www.info.apple.com/kbnum/n120245 The download file is named: "MacOSXUpdate10.2.8.dmg" Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c Mac OS X Server (updating from 10.2.6): http://www.info.apple.com/kbnum/n120246 The download file is named: "MacOSXServerUpdate10.2.8.dmg" Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36 Mac OS X Server (updating from 10.2 - 10.2.5): http://www.info.apple.com/kbnum/n120247 The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg" Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67 PowerMac G5 systems =================== Mac OS X Update (G5) v10.2.8(G5) http://www.info.apple.com/kbnum/n120248 The download file is named: "MacOSXUpdate10.2.5.dmg" Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac For systems with the initial release (only) of Mac OS X 10.2.8 ============================================================== Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8): http://www.info.apple.com/kbnum/n120252 The download file is named: "MacOSXUpd10.2.8.dmg" Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQEVAwUBP34ORHeI0z6bzFr0AQI54Af/Uk6ZrNYG4JHgX7cA9jU81R8q0cDCujcT srEYFtdsO0C1ktaeIPq7+rusfK06gwJbFcNdL2AWzHIHDJ61mdarO9FenrJEqx/3 A7OyA44RQQWgcvY82P9voH7nLnhqAmqXwPK+ceLr6QvwtAjV6Q67xq3iCL9Yng0e u9fE9Oq66C132XuphNecr6XidVh3bCq4c5o0WbaWmrKlnLXad3sVUBcJ+/8uT/mv eareO74u8Hadap2DPPjNFKVeTAMjuMHzryjRKUYBDzX7fhUsJVclUvcdamuEVgFO SOVrKXvmFG3Td36tcGK6MHcAicQM/AjJqbv+q+KAzJ27p0UD2GNX2A== =XmO2 -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored.