-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2003-11-19 Security Update 2003-11-19 Security Update 2003-11-19 is now available for Mac OS X 10.2.8 and Mac OS X 10.3. It is Apple's policy to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible. Security Update 2003-11-19 includes updates to several components of Mac OS X v10.2 "Jaguar" that meet this criteria. Updates for Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8 ================================================================= gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4 utility. No setuid root programs relied on gm4 and this fix is a preventive measure against a possible future exploit. groff: Fixes VU#399883 where the groff component pic contained a format-string vulnerability. Mail: Fixes CAN-2003-0881 the Mac OS X Mail application will no longer fall back to plain text login when an account is configured to use MD5 Challenge Response. OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1 sequences are now handled in a more secure manner. Personal File Sharing: Fixes CAN-2003-0878 when Personal File Sharing is enabled, the slpd daemon can no longer create a root-owned file in the /tmp directory to gain elevated privileges. QuickTime for Java: Fixes CAN-2003-0871 a potential vulnerability that could allow unauthorized access to a system. zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library. Updates for Mac OS X v10.3.1 "Panther" and Mac OS X Server v10.3.1 ================================================================== OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1 sequences are now handled in a more secure manner. zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library. ================================================ Security Update 2003-11-19 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: Security update 2003-11-19 for Jaguar 10.2.8 http://www.info.apple.com/kbnum/n120277 The download file is named: "SecurityUpd2003-11-19Jag.dmg" Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b Security Update 2003-11-19 for Panther 10.3.1 http://www.info.apple.com/kbnum/n120278 The download file is named: "SecurityUpd2003-11-19.dmg" Its SHA-1 digest is: 0cfb4c9048859a2e8a60424400e081da5ff84b80 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQEVAwUBP7wbJ3eI0z6bzFr0AQLqBgf/VosadrRIxai1AJe4th5MfYPOSxz5aJBM aMcuIdXhGLK01/Zynr//DSNSwJ1gPZefMQtFrvaF5BJvUS8hmWOu9PyCZbEo8hiX YJc14ON7/edXEA0JDB9BuB6Hbaflh+DgW2FIp8pjDScvudtFheMWFPQDMhBR3Az3 B6y6lIe9olZ+wUsML9ireLzKfhBFZGF7c/kYIoSS4X5WlmQ19F30RdBbJI/b8Sn2 nIBgBM9YtgkuMVSoqhPgBPIrQLQ0Qa8NVPY9NpBjFHnDgpUjiqCtYYL97TATOiMi khl84JnBdIOk8j/S8z1zTSPwMG1v7LJPxdzhMRC3UhdiKOHDPTrofg== =DdeD -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored.