APPLE-SA-2003-02-14 Mac OS X 10.2.4 client
APPLE-SA-2003-02-14 Mac OS X 10.2.4 client
- Subject: APPLE-SA-2003-02-14 Mac OS X 10.2.4 client
- From: Product Security <email@hidden>
- Date: Fri, 14 Feb 2003 11:27:02 -0800
-----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2003-02-14 Mac OS X 10.2.4 client
Mac OS X 10.2.4 client Software Update is now available. It contains
fixes for
the following potential security issues:
* Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before
8.12.5, when
configured to use a custom DNS map to query TXT records, could permit a
denial
of service attack and possibly allow execution of arbitrary code. Mac
OS X
10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also
address
CAN-2002-1165 .
* AFP: Fixes CAN-2003-0049 "AFP login permissions for the system
administrator". Provides an option whereby a system administrator may
or may
not be allowed to log in as a user, authenticating via their admin
password.
Previously, administrators could always log in as a user,
authenticating via
their own admin password.
* Classic: Fixes CAN-2003-0088 , where an attacker may change an
environment
variable to create arbitrary files or overwrite existing files, which
could lead
to obtaining elevated privileges. Credit to Dave G. from @stake, Inc.
for
discovering this issue.
* Samba: Previous releases of Mac OS X are not vulnerable to
CAN-2002-1318 , an
issue in Samba's length checking for encrypted password changes. Mac
OS X
currently uses Directory Services for authentication, and does not call
the
vulnerable Samba function. However, to prevent a potential future
exploit via
this function, the patch from Samba 2.2.7 was applied although the
version of
Samba was not changed for this update release. Further information is
available
from: http://samba.org/samba/whatsnew/samba-2.2.7.html
Mac OS X 10.2.4 client Software Update may be obtained from:
* Software Update pane in System Preferences
- OR -
* Apple's Software Downloads web site:
Updating from Mac OS X 10.2.3:
http://www.info.apple.com/kbnum/n70167
The download file is named: "MacOSXUpdate10.2.4.dmg"
Its SHA-1 digest is: a54695d21f1162bd453d2f9a3b02176cae8c8777
Updating from Mac OS X 10.2, 10.2.1, or 10.2.2:
http://www.info.apple.com/kbnum/n70168
The download file is named: "MacOSX10.2.4Combined.dmg"
Its SHA-1 digest is: 0b377141c1cd11d303a72ce3fac5170d2e02cf3b
Information is also posted to the Apple Support web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key, and
details are
available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPk1CwyFlYNdE6F9oAQH+Jgf/dB72A3cb+cz2It8jKRR2vrx/WLqeWjMG
DF7757xPTfDLG1oc4Nqd1lGdcoI19rhYyY86avnr6yykIr+gFz27Yujz48fgvIdL
OMBD66wV+Ohq5jwB19baJu3pq+TCDlsRg//bhKsvE7izdtahlXdIDnSYJDUUb0Nl
yMtu6jyoHPcxJAUUVEgG4vYuiVKnD4ZGGkKoS4tPNe2BAz0kw7lrr70edEGn/EA2
ZWl+LQ7AFBnxCm2NAeJ3BA+SyjrPw3/atNLaJCfQTi+UoA3OT/EET/PcMNosQaMG
7pYbachVjVHext8B9GmAy02NyoKjV/sFn0AVjV2w0NgJp9YW/sBBzw==
=gmkJ
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.