site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-06-29 iTunes 6.0.5 iTunes 6.0.5 is now available and, in addition to its other content, fixes the following security issue: CVE-ID: CVE-2006-1467 Available for: Mac OS X v10.2.8 or later, Windows XP / 2000 Impact: An integer overflow in iTunes could cause a denial of service or lead to the execution of arbitrary code Description: The AAC file parsing code in iTunes versions prior to 6.0.5 contains an integer overflow vulnerability. Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files. Credit to ATmaCA working with TippingPoint and the Zero Day Initiative for reporting this issue. iTunes 6.0.5 may be obtained from: http://www.apple.com/itunes/download/ For Mac OS X: The download file is named: "iTunes6.0.5.dmg" Its SHA-1 digest is: 668d53a8ca8126a852a470e4b9f7b13c0ecd3db3 For Windows 2000 or XP: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 0a82011b904e9fea33b1482deaea93094e008d96 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRKQn3omzP5/bU5rtAQiG8Qf+K+LYZD/PUTorONxQrCQyLUFNQhJlamQy SL13vqin0o8ogAUQuleAxuwvBPKkopdPTNadkmuABMTXFD+uDv+CyDUE3Z+93rqf d7cC6o1e/GPZIvxyhBkZNZ9R0KsXypxIJdWTGUYECpCtf1GoVtPHut1GTqbqr1h1 qKnjzMhEqtLAlc+kjbPEhB3plEI4ga0YjhYQBLHtpAfVYIvhfJJkhZpynfsMwzpj QXYdUAMlglwjAKNk/JkNJ9TsG4xRGxKuL3WGPxzzOgb5sAcex+/yn0njrWMHLVbx tauOneVnh9CLRTDeYEohk+H/LhUSspnvR7c/bKt2zIC/+RMHjx091w== =ibCr -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com