site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-08-17 Security Update 2005-007 v1.1 Security Update 2005-007 v1.1 is now available and replaces Security Update 2005-007 v1.0 for Tiger systems Mac OS X v10.4.2 and Mac OS X Server v10.4.2. There is no change to Security Update 2005-007 for Panther systems Mac OS X v10.3.9 and Mac OS X Server v10.3.9. Users who have already installed v1.0 on Tiger systems should install v1.1. Security Update 2005-007 v1.1 provides a combined 32- and 64-bit version of LibSystem to replace the 32-bit version that was delivered in v1.0. No other changes have been made in version 1.1. The servermgrd description below has been updated to note that the issue does not occur for systems prior to Mac OS X Server v10.4. Security Update 2005-007 contains the following security enhancements: Apache 2 CVE-ID: CAN-2005-1344 Available for: Mac OS X Server v10.3.9 Impact: The htdigest program contains a buffer overflow, which if used improperly in a CGI application, could allow a remote system compromise. Description: The htdigest program could be used in a CGI application to manage user access controls to a web server. htdigest contains a buffer overflow. This update fixes the buffer overflow in htdigest. Apple does not provide any CGI applications that use the htdigest program. Apache 2 ships only with Mac OS X Server, and is off by default. This issue was fixed for Apache 1.3 in Security Update 2005-005. Credit to JxT of SNOsoft for reporting this issue. Apache 2 CVE-ID: CAN-2004-0942, CAN-2004-0885 Available for: Mac OS X Server v10.3.9 Impact: Multiple security issues in Apache 2. Description: The Apache Group fixed two vulnerabilities between versions 2.0.52 and 2.0.53. The Apache Group security page for Apache 2 is located at http://httpd.apache.org/security/vulnerabilities_20.html. The previously available version of Apache 2 was 2.0.52. Apache 2 is updated to version 2.0.53. Apache 2 ships only with Mac OS X Server, and is off by default. Apache 2 CVE-ID: CAN-2004-1083, CAN-2004-1084 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2 Impact: Apache 2 example configurations does not fully block access to resource forks, ".ht" files, or ".DS_Store" files. Description: Apache 2 ships only with Mac OS X Server, and is off by default. It is important that administrators who enable this server manually are aware of the files that should be blocked to avoid security exposures. A default Apache 2 configuration blocks access to files starting with ".ht" in a case sensitive way. The Apple HFS+ filesystem performs file access in a case insensitive way and maps resource forks of files to path names. The Finder may also create .DS_Store files containing the names of files in locations used to serve web pages. This update modifies the sample Apache 2 configuration to show how to restrict access to these files and resource forks. This issue was fixed for Apache 1.3 in Security Update 2004-12-02. Additional information is provided in http://docs.info.apple.com/article.html?artnum=300422 AppKit CVE-ID: CAN-2005-2501 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Opening a malicious rich text file could lead to arbitrary code execution. Description: A buffer overflow in the handling of maliciously crafted rich text files could lead to arbitrary code execution. This update prevents the buffer overflow from occuring. AppKit CVE-ID: CAN-2005-2502 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Opening a maliciously crafted Microsoft Word .doc file could result in arbitrary code execution. Description: A buffer overflow in AppKit that is responsible for reading Word documents could allow arbitrary code execution. Only applications such as TextEdit that use AppKit to open Word documents are vulnerable. Microsoft Word for Mac OS X is not vulnerable. This update prevents the buffer overflow. AppKit CVE-ID: CAN-2005-2503 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: A malicious user with physical access to a system could create additional local accounts. Description: A malicious user who has full physical access to a system could create additional accounts by forcing an error condition. This update prevents the error conditions from occurring at the login window. Bluetooth CVE-ID: CAN-2005-2504 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: The System Profiler information about whether or not a Bluetooth device requires authentication is misleading Description: Selecting "Require pairing for security" in Bluetooth preferences correctly sets the device to require authentication, but in System Profiler the device is labeled with "Requires Authentication: No". This update changes System Profiler to accurately reflect the Bluetooth security settings. This issue does not affect systems prior to Mac OS X 10.4. Credit to John M. Glenn of San Francisco for reporting this issue. CoreFoundation CVE-ID: CAN-2005-2505 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Buffer overflow via a command line argument for applications using the CoreFoundation framework. Description: The incorrect handling of a command line argument within the CoreFoundation framework can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by improved handling of command line arguments. This issue does not affect Mac OS X 10.4. Credit to David Remahl of www.remahl.se/david for reporting this issue. CoreFoundation CVE-ID: CAN-2005-2506 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Passing a malformed date to the CoreFoundation framework can cause applications to stall. Description: The parsing of Gregorian dates in the CoreFoundation framework is vulnerable to an algorithmic complexity attack that could result in a denial of service. This update modifies the algorithm to parse all valid dates within a fixed processing time. Credit to David Remahl of www.remahl.se/david for reporting this issue. CUPS CVE-ID: CAN-2005-2525, CAN-2005-2526 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: The CUPS printing service will not print unless it is restarted. Description: When handling multiple, simultaneous, print jobs the CUPS printing service can stop printing because it incorrectly tracks open file descriptors. In addition, if CUPS receives a partial IPP request and a client terminates the connection, the printing service will then consume all available CPU. If the service is restarted then printing will resume. This update corrects the handling of multiple, simultaneous print jobs and partial requests. Directory Services CVE-ID: CAN-2005-2507 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2 Impact: A buffer overflow in Directory Services could lead to remote execution of arbitrary code. Description: A buffer overflow in the handling of authentication can lead to arbitrary code execution by a remote attacker. This update prevents the buffer overflow from occurring. Directory Services CVE-ID: CAN-2005-2508 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: The privileged tool dsidentity has several security flaws that can result in non-administrative users adding or removing identity user accounts in Directory Services. Description: This update addresses this issue by removing dsidentity and its documentation. This issue does not affect systems prior to Mac OS X 10.4. Credit to kf_lists[at]digitalmunition[dot]com and Neil Archibald of Suresec LTD for reporting this issue. Directory Services CVE-ID: CAN-2005-2519 Available for: Mac OS X Server v10.3.9 Impact: Insecure temporary file creation could lead to a local privilege escalation. Description: slpd insecurely creates a root-owned file in the world-writable /tmp directory. This update moves the creation of the file to a directory that is not world-writable. This issue does not affect Mac OS X v10.4. HItoolbox CVE-ID: CAN-2005-2513 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: VoiceOver may read content from secure input fields. Description: Under certain circumstances, secure input fields may be read by VoiceOver services. This update stops VoiceOver from exposing the content of these fields. This issue does not affect systems prior to Mac OS X v10.4. Kerberos CVE-ID: CAN-2004-1189 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: An authenticated user could execute arbitrary code on the KDC host, compromising a Kerberos realm. Description: A heap buffer overflow in password history handling code could be exploited to execute arbitrary code on a Key Distribution Center(KDC). This issue does not affect Mac OS X 10.4. Credit to the MIT Kerberos team for reporting this isue. Their advisory for this vulnerability is located at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt Kerberos CVE-ID: CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, CERT VU#885830 VU#259798 VU#623332 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Multiple buffer overflow vulnerabilities could result in denial of service or remote compromise of a KDC. Description: This update upgrades Kerberos for Macintosh to version 5.5.1, which contains fixes for this issue. The Kerberos security advisories for these issues are located at http://web.mit.edu/kerberos/www/advisories/ Kerberos CVE-ID: CAN-2005-2511 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kerberos enabled logins when using LDAP can result in root compromise. Description: When Kerberos authentication is enabled in addition to LDAP, it was possible to gain access to a root Terminal window. Kerberos authentication has been updated to prevent this situation. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jim Foraker of Carnegie Mellon University and colleagues at MacEnterprise.Org for reporting this issue. loginwindow CVE-ID: CAN-2005-2509 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: A user can gain access to other logged-in accounts if Fast User Switching is enabled. Description: An error in the handling of Fast User Switching can allow a local user who knows the password for two accounts to log into a third account without knowing the password. This update corrects the authentication error. This issue does not affect systems prior to Mac OS X 10.4. Credit to Sam McCandlish for reporting this issue. Mail CVE-ID: CAN-2005-2512 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Loss of privacy due to Mail loading remote images in HTML emails. Description: When Mail.app is used to print or forward an HTML message, it will attempt to load remote images even if a user's preferences disallow it. As this network traffic is not expected, it may be considered a privacy leak. This update addresses the issue by having Mail.app only load remote images in HTML messages when the preferences allow it. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brad Miller of CynicalPeak and John Pell of Foreseeable Solutions for reporting this issue. MySQL CVE-ID: CAN-2005-0709, CAN-2005-0710, CAN-2005-0711 Available for: Mac OS X Server v10.3.9 Impact: Multiple vulnerabilities in MySQL including arbitrary code execution by remote authenticated users. Description: MySQL is updated to version 4.0.24 to address several issues. This does not affect systems running Mac OS X v10.4 as Tiger shipped with MySQL version 4.1.10a, which is patched against this issue. The MySQL announcement for version 4.0.24 is located at http://dev.mysql.com/doc/mysql/en/news-4-0-24.html OpenSSL CVE-ID: CAN-2004-0079, CAN-2004-0112 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Multiple denial of service vulnerabilities in OpenSSL. Description: OpenSSL is updated to version 0.9.7g to address several issues. The OpenSSL advisory for these issues is located at http://www.openssl.org/news/secadv_20040317.txt ping CVE-ID: CAN-2005-2514 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: A buffer overflow could result in local privilege escalation and arbitrary code execution. Description: The ping utility is vulnerable to a buffer overflow. This update prevents the buffer overflow from occurring. This issue does not affect systems running Mac OS X v10.4. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue. QuartzComposerScreenSaver CVE-ID: CAN-2005-2515 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Users could open web pages while the RSS Visualizer screen saver is locked. Description: It is possible to open displayed links from the RSS Visualizer in the background when the screen saver is configured to require a password. This update prevents the RSS Visualizer screen saver from opening a URL if a password is required to exit the screen saver. Credit to Jay Craft of GrooVault Entertainment, LLC for reporting this issue. Safari CVE-ID: CAN-2005-2516 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Clicking on a link in a maliciously-crafted rich text file in Safari could lead to arbitrary command execution. Description: Safari renders rich text content using code that allows URLs to be called directly, which bypasses the normal browser security checks. This update addresses the issue by handling all links in rich text through Safari. Safari CVE-ID: CAN-2005-2517 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Information can be inadvertently submitted to the wrong site. Description: When submitting forms in Safari on an XSL formatted page, data is sent to the next page browsed. This update addresses the issue by ensuring that form contents are submitted correctly. Credit to Bill Kuker for reporting this issue. SecurityInterface CVE-ID: CAN-2005-2520 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Recently-used passwords are visible via the password assistant. Description: The password assistant provides an easy mechanism for selecting a good password. If an administrator uses the password assistant while adding multiple accounts, they will be able to view previously suggested passwords. This only occurs when password assistant is used more than once from the same process. This update addresses the issue by resetting the suggested password list each time the password assistant is displayed. This issue does not affect systems prior to Mac OS X v10.4. Credit to Andrew Langmead of Boston.com for reporting this issue. servermgrd CVE-ID: CAN-2005-2518 Available for: Mac OS X Server v10.4.2 Impact: A buffer overflow in servermgrd could lead to remote execution of arbitrary code. Description: A buffer overflow in the handling of authentication can lead to arbitrary code execution by a remote attacker. This update prevents the buffer overflow from occurring. This issue does not affect systems prior to Mac OS X v10.4. servermgr_ipfilter CVE-ID: CAN-2005-2510 Available for: Mac OS X Server v10.4.2 Impact: Certain firewall policies created with the Server Admin tool are not always written to the Active Rules. Description: When using multiple subnets and Address Groups, the firewall rules are not always written to the Active Rules depending on the order in which the IP subnets were entered into the Address Group. This update addresses the issue by generating correct rules irrespective of any ordering within the Address Group. This issue does not affect systems prior to Mac OS X 10.4. Credit to Matt Richard of Franklin & Marshall College and Chris Pepper of The Rockefeller University for reporting this issue. SquirrelMail CVE-ID: CAN-2005-1769, CAN-2005-2095 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2 Impact: Multiple vulnerabilities in SquirrelMail including cross-site scripting and SquirrelMail user preference modification Description: There are multiple vulnerabilities in SquirreMail prior to version 1.4.5. These fixes address cross-site scripting and an exposure that may allow attackers to modify user preferences. This update upgrades SquirrelMail to version 1.4.5. For more information http://www.squirrelmail.org traceroute CVE-ID: CAN-2005-2521 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: A buffer overflow could result in local privilege escalation and arbitrary code execution. Description: The traceroute utility is vulnerable to a buffer overflow. This update prevents the buffer overflow from occurring. This issue does not affect systems running Mac OS X v10.4. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue. WebKit CVE-ID: CAN-2005-2522 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Clicking on a link in a maliciously-crafted PDF file in Safari could lead to arbitrary command execution. Description: Safari renders PDF content using code that allows URLs to be called directly, which bypasses the normal browser security checks. This Safari issue does not affect systems prior to Mac OS X v10.4. This update addresses the issue by handling all links in PDF through Safari. Weblog Server CVE-ID: CAN-2005-2523 Available for: Mac OS X Server v10.4.2 Impact: Multiple cross-site scripting issues in Weblog Server. Description: Several cross-site scripting problems were discovered in the Weblog Server. This update improves the sanitizing of user input before re-displaying it. This issue does not affect systems prior to Mac OS X v10.4. Credit to Donnie Werner ( wood@exploitlabs.com ) of Exploitlabs.com and Atsushi MATSUO for reporting this issue. X11 CVE-ID: CAN-2005-0605 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: A buffer overflow could result in arbitrary code execution. Description: An error in LibXPM may allow attackers to execute arbitrary code via a negative bitmap_unit value that leads to a buffer overflow. This issue does not affect systems prior to Mac OS X v10.4. zlib CVE-ID: CAN-2005-2096, CAN-2005-1849 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Applications linked against zlib are susceptible to denial of service attacks and potential execution of arbitrary code. Description: By carefully crafting a corrupt compressed data stream, an attacker can overwrite data structures in a zlib-using application, resulting in denial of service or possible arbitrary code execution. This update address the issue by updating zlib to version 1.2.3. Security Update 2005-007 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.2 The download file is named: "SecUpd2005-007Ti.dmg" Its SHA-1 digest is: 61194b8b10d64c5c63250b29679c5cf6553808e4 For Mac OS X Server v10.4.2 The download file is named: "SecUpdSrvr2005-007Ti.dmg" Its SHA-1 digest is: 3fddac78fcad9218866837a261a3057678163f6a For Mac OS X v10.3.9 The download file is named: "SecUpd2005-007Pan.dmg" Its SHA-1 digest is: 602ce07500faecd1a7cf85274321aa406063bd87 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-007Pan.dmg" Its SHA-1 digest is: 937deb4fd43c5bbce998ea743fd2b5f1fddee772 Information is posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQwQlQoHaV5ucd/HdAQIzcgf/fUBrqwwRhxPVXBLlQiz7pq81qsfS5VQw HSu+R9Vyo3fiZO0an+BnwEEoRGfDTjcGyasRq7SVnJIHwRRNsaJoT9V0C6plrh/t H0MSQEiv5Fwgf0gTuI7SK/uRn7gp1NoqkHwVMJIW4aenDNkccJAkE3tw+ImqxMl9 PTCf4txEUN6X1EP9/swxMxRcxnazZpgovT0y/ym3J5kB16RIk9yhEjgq9zIIs+Jw yftlPxfQxmFQt9xjPL56XOAO2azmknkB5l+sOjQmuKd6f/82RG4zmO2QELSppZYM hee2EIGjPyPhinpP098OKbfGmh1a4z5NYPiU8T4JY2KGdfnEBpGyBA== =zWZZ -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com