APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
- Subject: APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
- From: Product Security <email@hidden>
- Date: Fri, 03 Oct 2003 17:03:40 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
Mac OS X 10.2.8 has been re-posted, and it is updated to address
issues discovered with certain system configurations. The security
enhancements in Mac OS X 10.2.8 are identical between the first
release and the one now available.
================================================
This note describes all security enhancements in Mac OS X 10.2.8,
with the following new information:
* Security enhancements for OpenSSL (details below) have been recently
announced, and we can now disclose the presence of these enhancements
in Mac OS X 10.2.8.
* The latest release of Mac OS X 10.2.8 includes support for PowerMac
G5 systems. The initial 10.2.8 release only applied to PowerMac G4
systems.
* A Sendmail workaround for Mac OS X 10.1.x systems is described
below.
================================================
Mac OS X 10.2.8 contains security enhancements for the following:
OpenSSL: Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address
potential issues in certain ASN.1 structures and in certificate
verification code. To deliver the update in a rapid and reliable
manner, only the patches for the CVE IDs listed above were
applied, and not the entire latest OpenSSL library. Thus, the
OpenSSL version in Mac OS X 10.2.8, as obtained via the
"openssl version" command, is: OpenSSL 0.9.6i Feb 19 2003
OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE
CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
versions prior to 10.2.8, the vulnerability is limited to a denial
of service from the possibility of causing sshd to crash. Each
login session has its own sshd, so established connections are
preserved up to the point where system resources are exhausted by
an attack.
To deliver the update in a rapid and reliable manner, only the
patches for CVE IDs listed above were applied, and not the entire
set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in
Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
0x0090609f
fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in
the fb_realpath() function that may allow attackers to execute
arbitrary code.
arplookup(): Fixes CAN-2003-0804. The arplookup() function caches
ARP requests for routes on a local link. On a local subnet only,
it is possible for an attacker to send a sufficient number of
spoofed ARP requests which will exhaust kernel memory, leading to
a denial of service.
Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
buffer overflow in address parsing, as well as a potential buffer
overflow in ruleset parsing.
================================================
How to install Sendmail for Mac OS X 10.1.5 systems:
- - From the UNIX command-line, perform the following steps:
1. Download sendmail version 8.12.10 which contains the fix to the
Zalewski advisory, released on 2003/09/17, by executing the following
command:
curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz
2. Verify the integrity of this file by typing:
cksum sendmail.8.12.10.tar.gz
which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"
3. Unpack the distribution as follows:
tar xvzf sendmail.8.12.10.tar.gz
4. Add the following line to your /etc/master.passwd file:
smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false
5. Add the following line to your /etc/group file:
smmsp:*:25:
6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the
same smmsp user and group entries to your netinfo database. The
easiest way is to duplicate existing entries and edit them to match
the entries in steps 4 and 5. For example, in the users pane you
could select and the duplicate (%D) the entry for "www" and then edit
the uid/gid/name/home directory fields in the new "www copy" to match
those in step 4. Similarly, for groups you could select the entry for
"mail" and duplicate it, editing just the name and gid fields to match
those in step 5. When you're done, you should see a users/smmsp entry
and a groups/smmsp entry.
7. Now you're ready to start building the distribution. cd to the
sendmail-8.12.10 directory and type "make"
8. The next two steps will install the new sendmail:
sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8
sudo make install
Make sure the permissions on your root directory are 755 (or set
DontBlameSendmail in /etc/mail/sendmail.cf) and reboot. You should
now be running the patched sendmail.
================================================
Mac OS X 10.2.8 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
PowerMac G4 systems
===================
Mac OS X Client (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120244
The download file is named: "MacOSXUpdateCombo10.2.8.dmg"
Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82
Mac OS X Client (updating from 10.2.6 - 10.2.7):
http://www.info.apple.com/kbnum/n120245
The download file is named: "MacOSXUpdate10.2.8.dmg"
Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c
Mac OS X Server (updating from 10.2.6):
http://www.info.apple.com/kbnum/n120246
The download file is named: "MacOSXServerUpdate10.2.8.dmg"
Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36
Mac OS X Server (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120247
The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg"
Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67
PowerMac G5 systems
===================
Mac OS X Update (G5) v10.2.8(G5)
http://www.info.apple.com/kbnum/n120248
The download file is named: "MacOSXUpdate10.2.5.dmg"
Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac
For systems with the initial release (only) of Mac OS X 10.2.8
==============================================================
Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8):
http://www.info.apple.com/kbnum/n120252
The download file is named: "MacOSXUpd10.2.8.dmg"
Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP34ORHeI0z6bzFr0AQI54Af/Uk6ZrNYG4JHgX7cA9jU81R8q0cDCujcT
srEYFtdsO0C1ktaeIPq7+rusfK06gwJbFcNdL2AWzHIHDJ61mdarO9FenrJEqx/3
A7OyA44RQQWgcvY82P9voH7nLnhqAmqXwPK+ceLr6QvwtAjV6Q67xq3iCL9Yng0e
u9fE9Oq66C132XuphNecr6XidVh3bCq4c5o0WbaWmrKlnLXad3sVUBcJ+/8uT/mv
eareO74u8Hadap2DPPjNFKVeTAMjuMHzryjRKUYBDzX7fhUsJVclUvcdamuEVgFO
SOVrKXvmFG3Td36tcGK6MHcAicQM/AjJqbv+q+KAzJ27p0UD2GNX2A==
=XmO2
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.