site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-03-02-1 iTunes 10.2 iTunes 10.2 is now available and addresses the following: ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Multiple vulnerabilities in libpng Description: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html CVE-ID CVE-2010-1205 CVE-2010-2249 ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow issue existed in ImageIO's handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0170 : Andrzej Dyjak working with iDefense VCP ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0191 : Apple ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0192 : Apple libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in libxml's handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-4494 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in libxml's XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-4008 : Bui Quang Minh from Bkis (www.bkis.com) WebKit Available for: Windows 7, Vista, XP SP2 or later Impact: A man-in-the-middle attack may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues exist in WebKit. A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-1824 : kuzzcc, and wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0111 : Sergey Glazunov CVE-2011-0112 : Yuzo Fujishima of Google Inc. CVE-2011-0113 : Andreas Kling of Nokia CVE-2011-0114 : Chris Evans of Google Chrome Security Team CVE-2011-0115 : J23 working with TippingPoint's Zero Day Initiative, and Emil A Eklund of Google, Inc CVE-2011-0116 : an anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0117 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0118 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0119 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0120 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0121 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0122 : Slawomir Blazek CVE-2011-0123 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0124 : Yuzo Fujishima of Google Inc. CVE-2011-0125 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0126 : Mihai Parparita of Google, Inc. CVE-2011-0127 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0128 : David Bloom CVE-2011-0129 : Famlam CVE-2011-0130 : Apple CVE-2011-0131 : wushi of team509 CVE-2011-0132 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0133 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0134 : Jan Tosovsky CVE-2011-0135 : an anonymous reporter CVE-2011-0136 : Sergey Glazunov CVE-2011-0137 : Sergey Glazunov CVE-2011-0138 : kuzzcc CVE-2011-0139 : kuzzcc CVE-2011-0140 : Sergey Glazunov CVE-2011-0141 : Chris Rohlf of Matasano Security CVE-2011-0142 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0143 : Slawomir Blazek and Sergey Glazunov CVE-2011-0144 : Emil A Eklund of Google, Inc. CVE-2011-0145 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0146 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0147 : Dirk Schulze CVE-2011-0148 : Michal Zalewski of Google, Inc. CVE-2011-0149 : wushi of team509 working with TippingPoint's Zero Day Initiative, and SkyLined of Google Chrome Security Team CVE-2011-0150 : Michael Gundlach of safariadblock.com CVE-2011-0151 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0152 : SkyLined of Google Chrome Security Team CVE-2011-0153 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0154 : an anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0155 : Aki Helin of OUSPG CVE-2011-0156 : Abhishek Arya (Inferno) of Google, Inc. CVE-2011-0164 : Apple CVE-2011-0165 : Sergey Glazunov CVE-2011-0168 : Sergey Glazunov iTunes 10.2 may be obtained from: http://www.apple.com/itunes/download/ For Mac OS X: The download file is named: "iTunes10.2.dmg" Its SHA-1 digest is: 35da52c03a478d7ff325e67d589e48afd195c9ab For Windows XP / Vista / Windows 7: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 1f40939eaca43648e55c137be220fa391bb48c6c For 64-bit Windows XP / Vista / Windows 7: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: efc23fc7d92eb95a1f2588b8a6506d99b726c9ea Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJNbrZ2AAoJEGnF2JsdZQeeIowH/1cW7yQKs7Jz3TAJjOwPkT6M ETX53z7DBl1CLYYg6QZfbumUWrzj182WT5rKlt8qAhbxsMz4gLJ+TIqaaVn53NLV c0mq9LN615DhXXsMWsHeINinSky6wZMjlTApocp3PwWQTGZn8rg7qnaUuNC+x2Y2 OxPOsCGyRtbzIq8AZMgJfK2J1Rm1TGQi5s/wSSkDq61R0CVyXHhzMG8L+ChUXDrQ dKggtQQ8JeJK0kRp/q4kmJLxRBsimH21ame2urUrRKjXvvnqGLqy9pqJG9tbLFp2 1xlBg95tEF38v9wNRAx6gylN2dcGLvmK6+qqyvveenfGqlXd6BWmh4Ut4zHsD/4= =pvse -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com