APPLE-SA-2006-08-09 Security Update 2006-004 for Mac Pro
APPLE-SA-2006-08-09 Security Update 2006-004 for Mac Pro
- Subject: APPLE-SA-2006-08-09 Security Update 2006-004 for Mac Pro
- From: Apple Product Security <email@hidden>
- Date: Wed, 9 Aug 2006 12:31:39 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2006-08-09 Security Update 2006-004 for Mac Pro
"Security Update 2006-004 for Mac Pro" is now available.
Security Update 2006-004 was released on August 1, and details are
available via:
http://docs.info.apple.com/article.html?artnum=304063
The new Mac Pro product ships with Mac OS X v10.4.7 Build 8K1079.
Also, the existing Xserve hardware is now shipping with Mac OS X
Server v10.4.7 Build 8K1079.
The fixes provided in Security Update 2006-004 (August 1 release) are
contained in Build 8K1079, with the exception of the ones listed
below for ImageIO and OpenSSH. The fixes for these issues were not
fully tested in time for the manufacturing of the Mac Pro, and are
being provided via this security update.
This update is a proper subset of the full Security Update 2006-004
released on August 1. Existing systems that have already applied
Security Update 2006-004 (Aug 1 release) do not need to install this
update.
The following security fixes are provided only for systems running
Mac OS X v10.4.7 Build 8K1079 or Mac OS X Server v10.4.7 Build 8K1079
to reach the full security level provided with Security Update
2006-004 (August 1 release).
ImageIO
CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465
Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server
v10.4.7 Build 8K1079
Impact: Viewing a maliciously-crafted TIFF image may lead to an
application crash or arbitrary code execution
Description: Buffer overflows were discovered in TIFF tag handling
(CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder
(CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By
carefully crafting a corrupt TIFF image, an attacker can trigger a
buffer overflow which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of TIFF images. Systems prior to Mac OS X v10.4
are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462).
Credit to Tavis Ormandy, Google Security Team for reporting this
issue. Note: A fifth issue discovered by Tavis Ormandy,
CVE-2006-3460, does not affect Mac OS X.
OpenSSH
CVE-ID: CVE-2006-0393
Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server
v10.4.7 Build 8K1079
Impact: When remote login is enabled, remote attackers may cause a
denial of service or determine whether an account exists
Description: Attempting to log in to an OpenSSH server ("Remote
Login") using a nonexistent account causes the authentication process
to hang. An attacker can exploit this behavior to detect the
existence of a particular account. A large number of such attempts
may lead to a denial of service. This update addresses the issue by
properly handling attempted logins by nonexistent users. This issue
does not affect systems prior to Mac OS X v10.4. Credit to Rob
Middleton of the Centenary Institute (Sydney, Australia) for
reporting this issue.
"Security Update 2006-004 for Mac Pro" may be obtained from the
Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
For both Mac OS X v10.4.7 Build 8K1079 and
Mac OS X Server v10.4.7 Build 8K1079:
The download file is named: "SecUpd2006-004.dmg"
Its SHA-1 digest is: e11014106e79277057c5c54b555ed163703ea8c0
Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRNo3ZImzP5/bU5rtAQgHtgf+IIuysGUv5SQSLXuZm7P5AFbm0ZWRYHzU
sDxRgexjeoBmqOa2Ex7CrvrC6Xjr/N8qdceTYCQbmxELDi0+tHv5rGhAhfVslJAt
QZuONI5bQHgb7LEEN2lmuWnk9fNtn96x9jmCpBQBiz2+ez8U5ws3L9AREddiQnEy
Xnd8IV66BbqGpv+O2wkrpkFTdp/7sb8dS+zO9YERUT9FxIKe9V/Y6SocevmFlgGM
/BNHPPLTTSdoQpmrRncdY11oSXL2ut7rS956IQYWKfI7WMD8dC51UMYFjVatJ4+C
SjnngUB8lMn4/6Zjj9Jt6t3QWs5Y9DYISDVVfGkigNb6kIqk073Iiw==
=nMCx
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden