APPLE-SA-2003-04-10 Mac OS X 10.2.5
APPLE-SA-2003-04-10 Mac OS X 10.2.5
- Subject: APPLE-SA-2003-04-10 Mac OS X 10.2.5
- From: Product Security <email@hidden>
- Date: Thu, 10 Apr 2003 14:44:25 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mac OS X 10.2.5 is now available. It contains fixes for recent
vulnerabilities in:
Apache 2.0: Fixes CAN-2003-0132, a denial of service vulnerability in
Apache 2.0 versions through 2.0.44. Apache 2.0 is distributed only
with Mac OS X Server, and is not enabled by default.
Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege
Escalation and DoS Attack. DirectoryServices is part of the Mac OS
X and Mac OS X Server information services subsystem. It is
launched at startup, setuid root and installed by default. It is
possible for a local attacker to modify an environment variable
that would allow the execution of arbitrary commands as root.
Credit to Dave G. from @stake, Inc. for the discovery of this
vulnerability.
File Sharing/Service: Fixes CAN-2003-0198 where the contents of the
write-only DropBox folder can be revealed. When enabled, Personal
File Sharing on Mac OS X or Apple File Service on Mac OS X Server,
a "DropBox" folder is available by default to allow people to
deposit files. This update no longer allows the permissions of
the "DropBox" folder to be changed by a guest.
OpenSSL: Fixes CAN-2003-0131 Klima-Pokorny-Rosa attack on PKCS #1 v1.5
padding. The patch from the OpenSSL team, which addresses this
vulnerability, is applied to Mac OS X and Mac OS X Server.
Samba: Fixes CAN-2003-0201 which could allow an anonymous user to gain
remote root access due to a buffer overflow. The built-in Windows
file sharing is based on the open source technology called Samba
and is off by default in Mac OS X.
sendmail: Fixes CAN-2003-0161, where address parsing code in sendmail
does not adequately check the length of email addresses. Only the
patch from the sendmail team is applied to the currently-shipping
version of sendmail in Mac OS X and Mac OS X Server.
System requirements: Mac OS X 10.2.x (Jaguar)
Mac OS X 10.2.5 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
Updating from Mac OS X 10.2.4:
http://www.info.apple.com/kbnum/n120210
The download file is titled: MacOSXUpdate10.2.5.dmg
Its SHA-1 digest is: 1f98f9a21c3f17be823e2d63d90e534df01b3fdf
Updating from Mac OS X 10.2 through 10.2.3:
http://www.info.apple.com/kbnum/n120211
The download file is titled: MacOSXUpdateCombo10.2.5.dmg
Its SHA-1 digest is: a8ed6287d5bd0bdf67a2c0fd97b3af810f178d21
Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQEVAwUBPpXlHSFlYNdE6F9oAQL5jQgAqO0DtOshSaHn2QwG4FIRdXV5VXlNPlr6
5mFDD+yqZET+YZh18/poEZfoyHlpIxkCRIMF/BniArWtf+IQvW1UHQP1zg8IE9hD
PCknve/tSCGuL8FojGvDQ6zmZlXqo6Qh0xQ2vixdCdg0MNKsJrLVrLYb9/2CS9l2
5rKOl73IMluMDQNESKHL1GMeUWkcCbyzSR8fR1aLYf4smMqeSoEpv/ILPeckMsbg
ZjpgNOQ53d7Z3b/f5DCqvM4CuOtZ1RIoADHDYNfftcWYzyXLkQqFFzJsoLhQbWnZ
8XLEM+VeLoRI/0PGnHkTONnBW1Xrer0dQM8GLPfcs+P3rb7STBt/zQ==
=GL5H
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.