site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-05-12 Safari 3.2.3 Safari 3.2.3 is now available and addresses the following: libxml CVE-ID: CVE-2008-3529 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in libxml's handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3 on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11 with Security Update 2009-002 installed. Safari CVE-ID: CVE-2009-0162 Available for: Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Accessing a maliciously crafted "feed:" URL may lead to arbitrary code execution Description: Multiple input validation issues exist in Safari's handling of "feed:" URLs. Accessing a maliciously crafted "feed:" URL may lead to the execution of arbitrary JavaScript. This update addresses the issues by performing additional validation of "feed:" URLs. These issues do not affect systems prior to Mac OS X v10.5. Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Credit to Billy Rios and Microsoft Vulnerability Research (MSVR), and Alfredo Melloni for reporting these issues. WebKit CVE-ID: CVE-2009-0945 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking. Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3 on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11 with Security Update 2009-002 installed. Credit to Nils working with TippingPoint's Zero Day Initiative for reporting this issue. Safari 3.2.3 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari for Mac OS X v10.5.7 The download file is named: Safari3.2.3Leo.dmg Its SHA-1 digest is: d2e994d0c7125777e396d6c6a056f1222987944e Safari for Mac OS X v10.4.11 The download file is named: Safari3.2.3Ti.dmg Its SHA-1 digest is: 3c194ab0f1fa99531f4f1648d34878e9927371af Safari for Windows XP or Vista The download file is named: SafariSetup.exe Its SHA-1 digest is: 54b707e636557720d52526e33262e1a44e8093a6 Safari+QuickTime for Windows XP or Vista The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 215e482adbaa1561ca2b90deb65b397894680f36 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJKCbCgAAoJEHkodeiKZIkBYIYH/RgKY6f0Gc8uRpwY5WiyOkU9 uPIEBJG9z/JHSQAHFUPQkBt+pX5/glxGJynxcOwgGEqX7nUSHIp4TteuxFAExMwo 9u+JXnhVXjiZv7jGKLUE2KhnuweL/doIC74uYjSguViFASFpBTKAqpV/mqzrEPys IWsm8HYR5DXSw7d1QipkzormuXSmm0hwl8+tNVMLOqIBaq4nDAUIjHeRKCjHTkd1 Xo1/GMtqcFaFexvtbrKe6Ut/etS8NJPLpetMjNxOw5qZDZiP9MV2EviKRQ2TVXG0 9MIe6rxVDfwLQGAF9rTgtfpqiheojzWcxU0OzqDoJFVDWO5KAvdN8CW6yBpnOVA= =4rJD -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com