-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2004-09-07 Security Update 2004-09-07 Security Update 2004-09-07 is now available and delivers security enhancements for the following system versions: * Mac OS X v10.3.5 "Panther" * Mac OS X v10.3.4 "Panther" * Mac OS X v10.2.8 "Jaguar" * Mac OS X Server v10.3.5 "Panther" * Mac OS X Server v10.3.4 "Panther" * Mac OS X Server v10.2.8 "Jaguar" Given the relatively recent release of the Mac OS X v10.3.5 Software Update, this security update is available for both Mac OS X v10.3.4 and Mac OS X v10.3.5. Customers who are still evaluating Mac OS X v10.3.5 for large-scale deployment can apply the security update for Mac OS X v10.3.4 to increase the security of their systems during the evaluation period. After updating to Mac OS X v10.3.5, Security Update 2004-09-07 should be installed onto Mac OS X v10.3.5 even if it was previously installed on a Mac OS X v10.3.4 system. This security update is also available for the previous major release, "Jaguar". All security enhancements present in the Panther version of this security update are also available for Jaguar if the issue could occur on Jaguar systems. The following components are updated: Component: Apache 2 CVE-IDs: CAN-2004-0493, CAN-2004-0488 Available for: Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: Exposure to a potential Denial of Service. Description: The Apache Organization has released Apache version 2.0.50. This release fixes a number of denial of service vulnerabilities. We have updated Apache to version 2.0.50 which only ships with Mac OS X Server, and is off by default. Component: CoreFoundation CVE-ID: CAN-2004-0821 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: Privileged programs using CoreFoundation can be made to load a user supplied library. Description: Bundles using the CoreFoundation CFPlugIn facilities can include directions to automatically load plugin executables. With a specially crafted bundle this could also occur for privileged programs, permitting a local privilege escalation. CoreFoundation now prevents automatic executable loading for bundles that already have a loaded executable. Credit to Kikuchi Masashi <kik@ms.u-tokyo.ac.jp> for reporting this issue. Component: CoreFoundation CVE-ID: CAN-2004-0822 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: An environment variable can be manipulated to cause a buffer overflow which can result in a privilege escalation Description: By manipulating an environment variable a program could potentially be made to execute arbitrary code by a local attacker. This can only be exploited with access to a local account. Stricter validity checks are now performed for this environment variable. Credit to <aaron@vtty.com> for reporting this issue. Component: IPSec CVE-ID: CAN-2004-0607 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: When using certificates, unauthenticated hosts may be able to negotiate an IPSec connection. Description: When configured to use X.509 certificates to authenticate remote hosts, a certificate verification failure does not abort the key exchange. Mac OS X does not use certificates for IPSec by default so this issue only affects configurations that have been manually configured. IPSec now verifies and aborts a key exchange if a certificate verification failure occurs. Component: Kerberos CVE-ID: CAN-2004-0523 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier could permit remote attackers to execute arbitrary code. Description: The buffer overflow can only be exploited if "auth_to_local_names" or "auth_to_local" support is also configured in the edu.mit.Kerberos file. Apple does not enable this by default. The security fix was back ported and applied to the Mac OS X versions of Kerberos. The Mac OS X and Mac OS X Server version of Kerberos is not susceptible to the recent "double-free" issue reported in the CERT vulnerability note VU#350792 (CAN-2004-0772). Credit to the MIT Kerberos Development Team for informing us of this issue. Component: lukemftpd CVE-ID: CAN-2004-0794 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: A race condition that can permit an authenticated remote attacker to cause a denial of service or execute arbitrary code Description: If the FTP service has been enabled, and a remote attacker can correctly authenticate, then a race condition would permit them to stop the FTP service or execute arbitary code. The fix is to replace the lukemftpd FTP service with tnftpd. lukemftp is installed but not activated in Mac OS X Server, which instead uses xftp. Credit to Luke Mewburn of the NetBSD Foundation for informing us of this issue. Component: OpenLDAP CVE-ID: CAN-2004-0823 Available for: Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: A crypt password can be used as if it were a plain text password Description: Backwards compatibility with older LDAP implementations permits the storing of a crypt password in the userPassword attribute. Some authentication validation schemes can use this value as if it were a plain text password. The fix removes the ambiguity and always uses this type of field as a crypt password. This issue does not occur in Mac OS X 10.2.8. Credit to Steve Revilak of Kayak Software Corporation for reporting this issue. Component: OpenSSH CVE-ID: CAN-2004-0175 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: A malicious ssh/scp server can overwrite local files Description: A directory traversal vulnerability in the scp program permits a malicious remote server to overwrite local files. The security fix was backported and applied to the Mac OS X versions of OpenSSH. Component: PPPDialer CVE-ID: CAN-2004-0824 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: A malicious user can overwrite system files resulting in a local privilege escalation Description: PPP components performed insecure accesses of a file stored in a world-writeable location. The fix moves the log files to a non-world-writeable location. Component: QuickTime Streaming Server Available for: Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 CVE-ID: CAN-2004-0825 Impact: A denial of service requiring a restart of the QuickTime Streaming Server Description: A particular sequence of client operations can cause a deadlock on the QuickTime Streaming Server. The fix updates the code to eliminate this deadlock condition. Component: rsync CVE-ID: CAN-2004-0426 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: When rsync is run in daemon mode a remote attacker can write outside of the module path unless the chroot option has been set. Description: rsync before version 2.6.1 does not properly sanitize paths when running a read/write daemon with the chroot option turned off. The fix updates rsync to version 2.6.2. Component: Safari CVE-ID: CAN-2004-0361 Available for: Mac OS X v10.2.8, Mac OS X Server v10.2.8 Impact: A JavaScript array of negative size can cause Safari to access out of bounds memory resulting in an application crash. Description: Storing objects into a JavaScript array allocated with negative size can overwrite memory. Safari now stops processing JavaScript programs if an array allocation fails. This security enhancement was previously made available in Safari 1.0.3, and is being applied inside the Mac OS X 10.2.8 operating system as an extra layer of protection for customers who have not installed that version of Safari. This is a specific fix for Mac OS X v10.2.8 and the issue does not exist in Mac OS X v10.3 or later systems. Component: Safari CVE-ID: CAN-2004-0720 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: An untrusted web site can inject content into a frame intended to be used by another domain. Description: A web site that uses multiple frames can have some of its frames replaced with content from a malicious site if the malicious site is visited first. The fix imposes a set of parent/child rules preventing the attack. Component: SquirrelMail CVE-ID: CAN-2004-0521 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements Description: SquirrelMail before 1.4.3 RC1 is vulnerable to SQL injection which permits unauthorized SQL statements to be run. The fix updates SquirrelMail to version 1.4.3a Component: tcpdump CVE-IDs: CAN-2004-0183, CAN-2004-0184 Available for: Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5 Impact: Maliciously crafted packets can cause a crash of a running tcpdump Description: The detailed printing functions for ISAKMP packets do not perform correct bounds checking and cause an out-of-bounds read which results in a crash. The fix updates tcpdump to version 3.8.3. ================================================ Security Update 2004-09-07 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.3.5 "Panther" ===================================== The download file is named: "SecUpd2004-09-07PanMClient.dmg" Its SHA-1 digest is: aa8bc2d78c37778cca3619f42dafdee5775bc7a6 For Mac OS X v10.3.4 "Panther" ===================================== The download file is named: "SecUpd2004-09-07PanClient.dmg" Its SHA-1 digest is: a37cd43439f4e82d05d07924101e370d96dc41a9 For Mac OS X v10.2.8 "Jaguar" ===================================== The download file is named: "SecUpd2004-09-07JagClient.dmg" Its SHA-1 digest is: 6f0ee457b5a729ef68fb50fc55417db400b52365 For Mac OS X Server v10.3.5 "Panther" ===================================== The download file is named: "SecUpdSrvr2004-09-07PanM.dmg" Its SHA-1 digest is: 8766c93d5675f8d1d9ebec67e80b7a94d16a1858 For Mac OS X Server v10.3.4 "Panther" ===================================== The download file is named: "SecUpdSrvr2004-09-07PanL.dmg" Its SHA-1 digest is: 7f4674515ff0172a2df9a451240410ac24459753 For Mac OS X Server v10.2.8 "Jaguar" ===================================== The download file is named: "SecUpdSrvr2004-09-07Jag.dmg" Its SHA-1 digest is: 099290119b6f47d935e8d064c36a90b0ad7acaf8 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQT4T5Zyw5owIz4TQAQIqXgf/XdTaVdvJsa2EjjsoWTnVd3FbJhYj7bky Hz/69F8iQat+obSvnArrA39EgUkZzFzhep1stU/JjXk0FX3eGBLa1S4KjemNTqPx LgHWFu4F5BgxeOgkhQrR8faXs2dujTvRH+HX4ADVzZioznDLuqrzrs5EJZDk92NQ TAUvplMCHgA9H4LWVE9V4MHaUO7gtTskViqHr/XGt4Gu1+TtDLnQo8A4+c27swmP MavEDVhuSOcCyf8yYSpZiFrtzzVjoaC8Vemg1L53/sA0i3zjMb+H4wizACBnJBG/ L5U/itPiU7TkD6a8ydIFk1Ksd5wbO/kE94Ka6VeeL5JcuGLN2E9L5w== =x5fK -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored.