site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-03-11 iTunes 8.1 iTunes 8.1 is now available and addresses the following: iTunes CVE-ID: CVE-2009-0016 Available for: Windows XP or Vista Impact: Sending a maliciously crafted DAAP message may lead to a denial of service Description: An infinite loop exists in the handling of iTunes Digital Audio Access Protocol (DAAP) messages. Sending a message containing a maliciously crafted Content-Length parameter in the DAAP header may lead to a denial of service. This update addresses the issue by performing additional validation of DAAP messages. This issue does not affect Mac OS X systems. Credit to Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's FortiGuard Global Security Research Team for reporting this issue. iTunes CVE-ID: CVE-2009-0143 Available for: Mac OS X v10.4.10 or later, Mac OS X Server v10.4.10 or later, Windows XP or Vista Impact: Subscribing to a malicious podcast may lead to the disclosure of iTunes username and password Description: A design issue exists in the iTunes podcast feature. A subscription to a malicious podcast may cause an authentication dialog to be presented to the user. This dialog may entice the user to send iTunes credentials to the podcast server. This update addresses the issue by clarifying the origin of the authentication request in the dialog. Credit to Simon Bellwood for reporting this issue. iTunes 8.1 may be obtained from: http://www.apple.com/itunes/download/ For Mac OS X: The download file is named: "iTunes8.1.dmg" Its SHA-1 digest is: 6c9ee64741158c9f45417b965b38b01ea3b51af1 For Windows XP / Vista: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 00bd8842cf0f2026cc4590ef434f6846eeca7fa4 For Windows XP / Vista 64 Bit: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: cd61ef5e5a6fd350d2ac4366a31de5d110defdff Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJJurQhAAoJEHkodeiKZIkBk6MIAKdiDyWja2nSeUH6auYmmRUM F9Xt68l8yL8tNlZ/qn/gFO3rnaUa3UTj2TzUpKiu5dUmYjtpg8/W5oLIHOn6nJDy sHzZILZckJj5XRbKNuuF5/hXWgclCdiqLsjNgujUQFP1PhK/dJeV4uIrg+U8i67T 24x/enoqA5xPOSYumVjWs2cxFq+G4D33wSReU0cSg+B/tpkL5YO2IXtczM0VNkBO 3Py1OPUPI2rMa9htUoqQdajmaXgFEK0+7Eu6jDFkbi9Cgvh7W1NjMDEKa1UGS3sr 71HC0fbp5pi4r7SdtH4D963Cj9kMeLS9HchVTQV52aDsj8IObGmloprZ1bHeDOo= =kcsL -----END PGP SIGNATURE-----