site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-06-22 Security Update 2007-006 Security Update 2007-006 is now available and addresses the following issues: WebCore CVE-ID: CVE-2007-2401 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later Impact: Visiting a malicious website may allow cross-site requests Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue. WebKit CVE-ID: CVE-2007-2399 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue. Security Update 2007-006 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.9 (PowerPC) or later and Mac OS X Server v10.4.9 (PowerPC) or later The download file is named: "SecUpd2007-006Ti.dmg" Its SHA-1 digest is: 14ba95e8d6e795b9d0f99b614fe426d643edf15e For Mac OS X v10.4.9 (Universal) or later and Mac OS X Server v10.4.9 (Universal) or later The download file is named: "SecUpd2007-006Univ.dmg" Its SHA-1 digest is: 68fe035d8653de6e4d27da92d4dbf77c53c1f214 For Mac OS X v10.3.9 and Mac OS X Server v10.3.9 The download file is named: "SecUpd2007-006Pan.dmg" Its SHA-1 digest is: 8c085ef167f1bfa92ec9e34834181bb034686e8a Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRnwMjsgAoqu4Rp5tAQjnVgf+PyJLQ1pYYv6QrdoLiRaR3IhuhDF2wgkd m3UB661sexst2aI417mbqRqdH1W1XUl5EpJlKNzXg9k2BiWxVwD21CxqhLUXJlku zxXdmAqEIqy2GXtmAquuAX8c0oQF3k+uip8ovzddc9q+B0WV0/vbQODN+O3EkVs9 TNRVjowN0Pmp1Tb8O0hLsBqh57FtH9lzT0d9sGh6/C7zke7lxVOWYd9Y0Vov72rd 9oYv/q+Knj9qh4Zylp3Kg7Um0wotCX2JQ+U+XTNgr00sifaw6WUjpcpq9hQdAgv8 4CrFJGId7g+SYvbqy4pzfLQSFboeYD3HOZsVPSCze57tQSmBfJ6CJw== =mli5 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com