APPLE-SA-2004-12-02 Security Update 2004-12-02
APPLE-SA-2004-12-02 Security Update 2004-12-02
- Subject: APPLE-SA-2004-12-02 Security Update 2004-12-02
- From: Apple Product Security <email@hidden>
- Date: Thu, 2 Dec 2004 16:38:13 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2004-12-02 Security Update 2004-12-02
Security Update 2004-12-02 is now available and delivers the
following security enhancements:
Apache
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1082
Impact: Apache mod_digest_apple authentication is vulnerable to
replay attacks.
Description: The Mac OS X Server specific mod_digest_apple is based
on Apache's mod_digest. Multiple corrections for a replay problem in
mod_digest were made in versions 1.3.31 and 1.3.32 of Apache
(CAN-2003-0987). This update corrects the replay problem in
mod_digest_apple authentication using the modifications made to
Apache 1.3.32.
Apache
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2003-0020, CAN-2003-0987, CAN-2004-0174, CAN-2004-0488,
CAN-2004-0492, CAN-2004-0885, CAN-2004-0940
Impact: Multiple vulnerabilities in Apache and mod_ssl including
local privilege escalation, remote denial of service and in some
modified configurations execution of arbitrary code.
Description: The Apache Group fixed a number of vulnerabilities
between versions 1.3.29 and 1.3.33. The Apache Group security page
for Apache 1.3 is located at:
http://www.apacheweek.com/features/security-13. The previously
installed version of Apache was 1.3.29. The default installation of
Apache does not enable mod_ssl. This update fixes all of applicable
issues by updating Apache to version 1.3.33 and the companion mod_ssl
to version 2.8.22.
Apache
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1083
Impact: Apache configurations did not fully block access to
".DS_Store" files or those starting with ".ht".
Description: A default Apache configuration blocks access to files
starting with ".ht" in a case sensitive way. The Apple HFS+
filesystem performs file access in a case insensitive way. The Finder
may also create .DS_Store files containing the names of files in
locations used to serve web pages. This update modifies the Apache
configuration to restricts access to all files beginning with ".ht"
or ".DS_S" regardless of capitalization. For additional information
please refer to the Apple Knowledge Base article 300422.
Apache
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1084
Impact: File data and resource fork content can be retrieved via
HTTP bypassing normal Apache file handlers.
Description: The Apple HFS+ filesystem permits files to have
multiple data streams. These data streams can be directly accessed
using special filenames. A specially crafted HTTP request can bypass
an Apache file handler and directly access file data or resource fork
content. This update modifies the Apache configuration to deny
requests for file data or resource fork content via their special
filenames. For additional information please refer to the Apple
Knowledge Base article 300421. Credit to NetSec for reporting this
issue.
Apache 2
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0747, CAN-2004-0786, CAN-2004-0751, CAN-2004-0748
Impact: Modified Apache 2 configurations could permit a privilege
escalation for local users and remote denial of service.
Description: A customer-modified Apache 2 configuration, where
AllowOverride has been enabled, could permit a local user to execute
arbitrary code as the Apache (www) user. An unmodified configuration
is not vulnerable to this problem. This update also addresses bugs
in Apache that could allow certain types of requests to crash the
server. Apache is updated to version 2.0.52. Apache 2 ships only
with Mac OS X Server, and is off by default.
Appkit
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1081
Impact: Characters entered into a secure text field can be read by
other applications in the same window session
Description: In some circumstances a secure text input field will
not correctly enable secure input. This can allow other applications
in the same window session to see some input characters and keyboard
events. Input to secure text fields is now enabled in a way to
prevent the leakage of key press information.
Appkit
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0803, CAN-2004-0804, CAN-2004-0886
Impact: Integer overflows and poor range checking in tiff handling
could allow to execution of arbitrary code or denial of service.
Description: Flaws in decoding tiff images could overwrite memory,
cause arithmetic errors resulting in a crash, or permit the execution
of arbitrary code. This update corrects the problems in the handling
of tiff images.
Cyrus IMAP
Available for: Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1089
Impact: When using Kerberos authentication with Cyrus IMAP an
authenticated user could gain unauthorized access to other mailboxes
on the same system.
Description: When using the Kerberos authentication mechanism with
the Cyrus IMAP server a user could switch mailboxes after
authenticating and gain access to other mailboxes on the same system.
This update binds the mailbox to the authenticated user. This
server-specific issue is not present in Mac OS X Server v10.2.8.
Credit to email@hidden for reporting this issue.
HIToolbox
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1085
Impact: Users can quit applications in kiosk mode
Description: A special key combination allowed users to bring up the
force quit window even in kiosk mode. This update will block all
force-quit key combinations not to work while in kiosk mode. This
issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8.
Credit to Glenn Blauvelt of University of Colorado at Boulder for
reporting this issue.
Kerberos
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772
Impact: Exposure to a potential denial of service when Kerberos
authentication is used
Description: MIT has released a new version of Kerberos that
addresses a denial of service and three double free errors. Mac OS X
contains protection against double free errors. This update applies
the fix for the denial of service problem. As a precautionary
measure the double free patches have also been applied. Credit to
the MIT Kerberos Development Team for reporting this issue and
providing fixes.
Postfix
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1088
Impact: Postfix using CRAM-MD5 may allow a remote user to send mail
without properly authenticating.
Description: Postfix servers using CRAM-MD5 to authenticate senders
were vulnerable to a replay attack. Under some circumstances, the
credentials used to successfully authenticate a user could be re-used
for a small time period. The CRAM-MD5 algorithm used to authenticate
users has been updated to prevent the replay window. This issue is
not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit
to Victor Duchovni of Morgan Stanley for reporting this issue.
PSNormalizer
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1086
Impact: A buffer overflow in PostScript to PDF conversion could
allow execution of arbitrary code.
Description: A buffer overflow in the handling of PostScript to PDF
conversion could potentially allow the execution of arbitrary code.
This updates corrects the PostScript to PDF conversion code to
prevent the buffer overflow. This issue is not present in Mac OS X
v10.2.8 or Mac OS X Server v10.2.8.
QuickTime Streaming Server
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1123
Impact: Specially crafted requests could cause a denial of service.
Description: QuickTime Streaming Server was vulnerable to a denial
of service attack when handling DESCRIBE requests. This update
corrects the handling of these requests. Credit to iDEFENSE for
reporting this issue.
Safari
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1121
Impact: Specially crafted HTML can display a misleading URI the
Safari status bar.
Description: Safari could be tricked into displaying a URI in its
status bar that was not the same as the destination of a link. This
update corrects Safari so that it now displays the URI that will be
activated when selected.
Safari
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1122
Impact: With multiple browser windows active Safari users could be
mislead about which window activated a pop-up window.
Description: When multiple Safari windows are open, a carefully
timed pop-up could mislead a user into thinking it was activated by a
different site. In this update Safari now places a window that
activates a pop-up in front of all other browser windows. Credit to
Secunia Research for reporting this issue.
Terminal
Available for: Mac OS X v10.3.6 and Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1087
Impact: Terminal may indicate that 'Secure Keyboard Entry' is active
when it is not.
Description: The 'Secure Keyboard Entry' menu setting was not
properly restored when launching Terminal.app. A check mark would be
displayed next to 'Secure Keyboard Entry' even though it was not
enabled. This update fixes the behavior of the 'Secure Keyboard
Entry'. This issue is not present in Mac OS X v10.2.8 or Mac OS X
Server v10.2.8. Credit to Jonathan 'Wolf' Rentzsch of Red Shed
Software for reporting this issue.
Security Update 2004-12-02 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.3.6
The download file is named: "SecUpd2004-12-02Pan.dmg"
Its SHA-1 digest is: 208665fa6508514ff1497cf30f1c9d618bb3d0f9
For Mac OS X Server v10.3.6
The download file is named: "SecUpdSrvr2004-12-02Pan.dmg"
Its SHA-1 digest is: 7590ac4d324a4bc26e227fc88212e690b3ec1a06
For Mac OS X v10.2.8
The download file is named: "SecUpd2004-12-02Jag.dmg"
Its SHA-1 digest is: 9b6e9a63272a9faf77a173a24536b6d4db380edb
For Mac OS X Server v10.2.8
The download file is named: "SecUpdSrvr2004-12-02Jag.dmg"
Its SHA-1 digest is: cc0c7dbdd9d812138ce02844b83e79d478a4f36d
Information will also be posted to the Apple Product Security
web site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQEVAwUBQa9xM5yw5owIz4TQAQKffAf9GsU2idk7PEdtsdMEY6lXh8OzEjn2j15P
WK2uJPrpHCp31kF4yMAJ96MixsuQmT2i8H2wL3w5T9MMKdsnNDvLyyrDDcGZNXYh
NbnhNyuGNBiU6Lt0AGkX4sNeW5I0c/u2+aR0LbwbLnEl8mfTXQ5PGJam6E/VUdqs
jFyCOHRArsWot2tyx2qmj6nGY41nc16wahG6N5KKfdOjptBPL+wtZtmVD7+ZoJHp
8BfJt0w5Qbq/rhz9cpEdor71iTIOhDqixdafMayALenxZ+FranxN2jO0nXhrPRNP
p9BI2xAZ57TbK0Xg88VH0Yp/A2mRv4TulEdji+bnGWSoikIi3Fhj3g==
=oNoE
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden