Apple security updates (03-Oct-2003 to 11-Jan-2005)

This document outlines security updates for Apple products released between 03-Oct-2003 and 11-Jan-2005.

Important: For information about later (newer) security updates, see “Apple security updates”.

For information about earlier security updates, see “Apple Security Updates: August 2003 and Earlier”.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple, Inc. Product Security Incident Response website.

Apple Product Security PGP Key

For information, see “How To Use The Apple Product Security PGP Key”.

Security updates

Security updates are listed below according to the software release in which they first appeared. Where possible, CVE IDs are used to reference the vulnerabilities for further information.

iTunes 4.7.1

Available for: Mac OS X, Microsoft Windows XP, Microsoft Windows 2000

CVE-ID: CAN-2005-0043

Impact: Malicious playlists can cause iTunes to crash and could execute arbitrary code.

Description: iTunes supports several common playlist formats. iTunes 4.7.1 fixes a buffer overflow in the parsing of m3u and pls playlist files that could allow earlier versions of iTunes to crash and execute arbitrary code. Credit to Sean de Regge (seanderegge[at]hotmail.com) for discovering this issue and to iDEFENSE Labs for reporting it to us.

Security Update 2004-12-02

Apache

Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1082

Impact: Apache mod_digest_apple authentication is vulnerable to replay attacks.

Description: The Mac OS X Server specific mod_digest_apple is based on Apache’s mod_digest. Multiple corrections for a replay problem in mod_digest were made in versions 1.3.31 and 1.3.32 of Apache (CAN-2003-0987). This update corrects the replay problem in mod_digest_apple authentication using the modifications made to Apache 1.3.32.

Apache

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2003-0020, CAN-2003-0987, CAN-2004-0174, CAN-2004-0488, CAN-2004-0492, CAN-2004-0885, CAN-2004-0940

Impact: Multiple vulnerabilities in Apache and mod_ssl including local privilege escalation, remote denial of service and in some modified configurations execution of arbitrary code.

Description: The Apache Group fixed a number of vulnerabilities between versions 1.3.29 and 1.3.33. The Apache Group security page for Apache 1.3 is located at http://www.apacheweek.com/features/security-13. The previously installed version of Apache was 1.3.29. The default installation of Apache does not enable mod_ssl. This update fixes all applicable issues by updating Apache to version 1.3.33 and the companion mod_ssl to version 2.8.22.

Apache

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1083

Impact: Apache configurations did not fully block access to “.DS_Store” files or those starting with “.ht”.

Description: A default Apache configuration blocks access to files starting with “.ht” in a case-sensitive way. The Apple HFS+ file system performs file access in a case-insensitive way. The Finder may also create .DS_Store files containing the names of files in locations used to serve web pages. This update modifies the Apache configuration to restricts access to all files beginning with “.ht” or “.DS_S” regardless of capitalisation. More...

Apache

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1084

Impact: File data and resource fork content can be retrieved via HTTP, bypassing normal Apache file handlers.

Description: The Apple HFS+ file system permits files to have multiple data streams. These data streams can be directly accessed using special filenames. A specially crafted HTTP request can bypass an Apache file handler and directly access file data or resource fork content. This update modifies the Apache configuration to deny requests for file data or resource fork content via their special filenames. For more information, see this document. Credit to NetSec for reporting this issue.

Apache 2

Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0747, CAN-2004-0786, CAN-2004-0751, CAN-2004-0748

Impact: Modified Apache 2 configurations could permit a privilege escalation for local users and remote denial of service.

Description: A customer-modified Apache 2 configuration, where AllowOverride has been enabled, could permit a local user to execute arbitrary code as the Apache (www) user. An unmodified configuration is not vulnerable to this problem. This update also addresses bugs in Apache that could allow certain types of requests to crash the server. Apache is updated to version 2.0.52. Apache 2 only ships with Mac OS X Server and is off by default.

Appkit

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1081

Impact: Characters entered into a secure text field can be read by other applications in the same window session.

Description: In some circumstances, a secure text input field will not correctly enable secure input. This can allow other applications in the same window session to see some input characters and keyboard events. Input to secure text fields is now enabled in a way to prevent the leakage of key press information.

Appkit

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0803, CAN-2004-0804, CAN-2004-0886

Impact: Integer overflows and poor range checking in tiff handling could allow execution of arbitrary code or denial of service.

Description: Flaws in decoding tiff images could overwrite memory, cause arithmetic errors resulting in a crash or permit the execution of arbitrary code. This update corrects the problems in the handling of tiff images.

Cyrus IMAP

Available for: Mac OS X Server v10.3.6

CVE-ID: CAN-2004-1089

Impact: When using Kerberos authentication with Cyrus IMAP an authenticated user could gain unauthorised access to other mailboxes on the same system.

Description: When using the Kerberos authentication mechanism with the Cyrus IMAP server, a user could switch mailboxes after authenticating and gain access to other mailboxes on the same system. This update binds the mailbox to the authenticated user. This server-specific issue is not present in Mac OS X Server v10.2.8. Credit to johan.gradvall@gothia.se for reporting this issue.

HIToolbox

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6

CVE-ID: CAN-2004-1085

Impact: Users can quit applications in kiosk mode.

Description: A special key combination allowed users to bring up the force-quit window even in kiosk mode. This update will block all force-quit key combinations not to work while in kiosk mode. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Glenn Blauvelt of University of Colorado at Boulder for reporting this issue.

Kerberos

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772

Impact: Exposure to a potential denial of service when Kerberos authentication is used.

Description: MIT has released a new version of Kerberos that addresses a denial of service and three double-free errors. Mac OS X contains protection against double-free errors. This update applies the fix for the denial of service problem. As a precautionary measure, the double-free patches have also been applied. Credit to the MIT Kerberos Development Team for reporting this issue and providing fixes.

Postfix

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6

CVE-ID: CAN-2004-1088

Impact: Postfix using CRAM-MD5 may allow a remote user to send mail without properly authenticating.

Description: Postfix servers using CRAM-MD5 to authenticate senders were vulnerable to a replay attack. Under some circumstances, the credentials used to successfully authenticate a user could be reused for a small time period. The CRAM-MD5 algorithm used to authenticate users has been updated to prevent the replay window. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Victor Duchovni of Morgan Stanley for reporting this issue.

PSNormalizer

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6

CVE-ID: CAN-2004-1086

Impact: A buffer overflow in PostScript to PDF conversion could allow execution of arbitrary code.

Description: A buffer overflow in the handling of PostScript to PDF conversion could potentially allow the execution of arbitrary code. This updates corrects the PostScript to PDF conversion code to prevent the buffer overflow. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8.

QuickTime Streaming Server

Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1123

Impact: Specially crafted requests could cause a denial of service.

Description: QuickTime Streaming Server was vulnerable to a denial of service attack when handling DESCRIBE requests. This update corrects the handling of these requests. Credit to iDEFENSE for reporting this issue.

Safari

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1121

Impact: Specially crafted HTML can display a misleading URI in the Safari status bar.

Description: Safari could be tricked into displaying a URI in its status bar that was not the same as the destination of a link. This update corrects Safari so it now displays the URI that will be activated when selected.

Safari

Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-1122

Impact: With multiple browser windows active, Safari users could be misled about which window activated a pop-up window.

Description: When multiple Safari windows are open, a carefully timed pop-up could mislead a user into thinking it was activated by a different site. In this update, Safari now places a window that activates a pop-up in front of all other browser windows. Credit to Secunia Research for reporting this issue.

Terminal

Available for: Mac OS X v10.3.6 and Mac OS X Server v10.3.6

CVE-ID: CAN-2004-1087

Impact: Terminal may indicate that “Secure Keyboard Entry” is active when it is not.

Description: The “Secure Keyboard Entry” menu setting was not properly restored when launching Terminal.app. A tick would be displayed next to “Secure Keyboard Entry” even though it was not enabled. This update fixes the behaviour of the “Secure Keyboard Entry”. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Jonathan “Wolf” Rentzsch of Red Shed Software for reporting this issue.

iCal 1.5.4

CVE-ID: CAN-2004-1021

Impact: New iCal calendars may add alarms without approval.

Description: iCal calendars may include notification of events via alarms. These alarms may open programs and send email. iCal has been updated to show an alert window when importing or opening calendars containing alarms. iCal 1.5.4 is available for Mac OS X 10.2.3 or later. Credit to aaron@vtty.com for reporting this issue.

Security Update 2004-10-27

Apple Remote Desktop

Available for: Apple Remote Desktop Client 1.2.4 with Mac OS X 10.3.x

CVE-ID: CAN-2004-0962

Impact: An application can be started behind the loginwindow, and it will run as root.

Description: For a system with these following conditions:

  • Apple Remote Desktop client installed

  • A user on the client system has been enabled with the Open and quit applications privilege

  • The username and password of the ARD user is known

  • Fast user switching has been enabled

  • A user is logged in, and loginwindow is active via Fast User Switching

If the Apple Remote Desktop Administrator application on another system is used to start a GUI application on the client, then the GUI application would run as root behind the loginwindow. This update prevents Apple Remote Desktop from launching applications when the loginwindow is active. This security enhancement is also present in Apple Remote Desktop v2.1. This issue does not affect systems prior to Mac OS X 10.3. Credit to Andrew Nakhla and Secunia Research for reporting this issue.

QuickTime 6.5.2

CVE ID: CAN-2004-0988

Available for: Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows ME and Microsoft Windows 98

Impact: An integer overflow that may be exploitable in an HTML environment.

Description: A sign extension of an overflowed small integer can result in a very large number being passed to a memory move function. The fix prevents the small integer from overflowing. This issue does not exist in QuickTime for Mac OS X systems. Credit to John Heasman of Next Generation Security Software Ltd. for reporting this issue.

CVE-ID: CAN-2004-0926

Available for: Mac OS X v10.3.x, Mac OS X Server v10.3.x, Mac OS X v10.2.8, Mac OS X Server v10.2.8, Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows ME and Microsoft Windows 98

Impact: A heap buffer overflow could allow attackers to execute arbitrary code.

Description: Flaws in decoding the BMP image type could overwrite heap memory and potentially allow the execution of arbitrary code hidden in an image. This is the same security enhancement that was made available in Security Update 2004-09-30 and can be deployed on the additional system configurations covered by this QuickTime update.

Security Update 2004-09-30 (released 2004-10-04)

AFP Server

Available for: Mac OS X v10.3.5 and Mac OS X Server v10.3.5

CVE-ID: CAN-2004-0921

Impact: A denial of service permitting a guest to disconnect AFP volumes

Description: An AFP volume mounted by a guest could be used to terminate authenticated user mounts from the same server by modifying SessionDestroy packets. This issue does not affect systems prior to Mac OS X v10.3 or Mac OS X Server v10.3.

AFP Server

Available for: Mac OS X v10.3.5 and Mac OS X Server v10.3.5

CVE-ID: CAN-2004-0922

Impact: Write-only AFP Drop Box may be set as read-write.

Description: A write-only Drop Box on an AFP volume mounted by a guest could sometimes be read-write due to an incorrect setting of the guest group ID. This issue does not affect systems prior to Mac OS X v10.3 or Mac OS X Server v10.3.

CUPS

Available for: Mac OS X v10.3.5, Mac OS X Server v10.3.5, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0558

Impact: A denial of service causing the printing system to hang

Description: The Internet Printing Protocol (IPP) implementation in CUPS can hang when a certain UDP packet is sent to the IPP port.

CUPS

Available for: Mac OS X v10.3.5, Mac OS X Server v10.3.5, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0923

Impact: Local disclosure of user passwords

Description: Certain methods of authenticated remote printing could disclose user passwords in the printing system log files. Credit to Gary Smith of the IT Services department at Glasgow Caledonian University for reporting this issue.

NetInfo Manager

Available for: Mac OS X v10.3.5 and Mac OS X Server v10.3.5

CVE-ID: CAN-2004-0924

Impact: Incorrect indication of account status

Description: The NetInfo Manager utility can enable the “root” account, but after a single “root” login, it is no longer possible to use NetInfo Manager to disable the account and it incorrectly appears to be disabled. This issue does not affect systems prior to Mac OS X v10.3 or Mac OS X Server v10.3.

postfix

Available for: Mac OS X v10.3.5 and Mac OS X Server v10.3.5

CVE-ID: CAN-2004-0925

Impact: A denial of service when SMTPD AUTH has been enabled

Description: When SMTPD AUTH has been enabled in postfix, a buffer containing the username is not correctly cleared between authentication attempts. Only users with the longest usernames will be able to authenticate. This issue does not affect systems prior to Mac OS X v10.3 or Mac OS X Server v10.3. Credit to Michael Rondinelli of EyeSee360 for reporting this issue.

QuickTime

Available for: Mac OS X v10.3.5, Mac OS X Server v10.3.5, Mac OS X v10.2.8, Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0926

Impact: A heap buffer overflow could allow attackers to execute arbitrary code.

Description: Flaws in decoding the BMP image type could overwrite heap memory and potentially allow the execution of arbitrary code hidden in an image.

ServerAdmin

Available for: Mac OS X Server v10.3.5 and Mac OS X Server v10.2.8

CVE-ID: CAN-2004-0927

Impact: Client-Server communication with ServerAdmin can be read by decoding captured sessions.

Description: Client-Server communication with ServerAdmin uses SSL. All systems come installed with the same example self-signed certificate. If that certificate has not been replaced, then ServerAdmin communication may be decrypted. The fix replaces the existing self-signed certificate with one that has been locally and uniquely generated. Credit to Michael Bartosh of 4am Media, Inc. for reporting this issue.

Security Update 2004-09-16

iChat

CVE-ID: CAN-2004-0873

Impact: Remote iChat participants can send “links” that can start local programs if clicked.

Description: A remote iChat participant can send a “link” that references a program on the local system. If the “link” is activated by clicking on it and the “link” points to a local program, then the program will run. iChat has been modified so “links” of this type will open a Finder window that displays the program instead of running it. Credit to aaron@vtty.com for reporting this issue.

Availability: This update is available for the following iChat versions:

- iChat AV v2.1 (Mac OS X 10.3.5 or later)

- iChat AV v2.0 (Mac OS X 10.2.8)

- iChat 1.0.1 (Mac OS X 10.2.8)

Security Update 2004-09-07

This Security Update is available for the following system versions:

- Mac OS X 10.3.4

- Mac OS X 10.3.5

- Mac OS X Server 10.3.4

- Mac OS X Server 10.3.5

- Mac OS X 10.2.8

- Mac OS X Server 10.2.8

Tip: For more information about CVE-IDs referenced below, see (http://www.cve.mitre.org/).

Component: Apache 2

CVE-IDs: CAN-2004-0493, CAN-2004-0488

Available for: Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: Exposure to a potential Denial of Service

Description: The Apache Organization has released Apache version 2.0.50. This release fixes a number of denial of service vulnerabilities. We have updated Apache to version 2.0.50, which only ships with Mac OS X Server and is off by default.

Component: CoreFoundation

CVE-ID: CAN-2004-0821

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: Privileged programs using CoreFoundation can be made to load a user-supplied library.

Description: Bundles using the CoreFoundation CFPlugIn facilities can include directions to automatically load plugin executables. With a specially crafted bundle this could also occur for privileged programs, permitting a local privilege escalation. CoreFoundation now prevents automatic executable loading for bundles that already have a loaded executable. Credit to Kikuchi Masashi (kik@ms.u-tokyo.ac.jp) for reporting this issue.

Component: CoreFoundation

CVE-ID: CAN-2004-0822

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: An environment variable can be manipulated to cause a buffer overflow, which can result in a privilege escalation.

Description: By manipulating an environment variable, a program could potentially be made to execute arbitrary code by a local attacker. This can only be exploited with access to a local account. Stricter validity checks are now performed for this environment variable. Credit to aaron@vtty.com for reporting this issue.

Component: IPSec

CVE-ID: CAN-2004-0607

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: When using certificates, unauthenticated hosts may be able to negotiate an IPSec connection.

Description: When configured to use X.509 certificates to authenticate remote hosts, a certificate verification failure does not abort the key exchange. Mac OS X does not use certificates for IPSec by default, so this issue only affects configurations that have been manually configured. IPSec now verifies and aborts a key exchange if a certificate verification failure occurs.

Component: Kerberos

CVE-ID: CAN-2004-0523

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier could permit remote attackers to execute arbitrary code.

Description: The buffer overflow can only be exploited if “auth_to_local_names” or “auth_to_local” support is also configured in the edu.mit.Kerberos file. Apple does not enable this by default. The security fix was back-ported and applied to the Mac OS X versions of Kerberos. The Mac OS X and Mac OS X Server version of Kerberos is not susceptible to the recent “double-free” issue reported in the CERT vulnerability note VU#350792 (CAN-2004-0772). Credit to the MIT Kerberos Development Team for informing us of this issue.

Component: lukemftpd

CVE-ID: CAN-2004-0794

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: A race condition that can permit an authenticated remote attacker to cause a denial of service or execute arbitrary code.

Description: If the FTP service has been enabled and a remote attacker can correctly authenticate, then a race condition would permit them to stop the FTP service or execute arbitrary code. The fix is to replace the lukemftpd FTP service with tnftpd. lukemftp is installed but not activated in Mac OS X Server, which instead uses xftp. Credit to Luke Mewburn of the NetBSD Foundation for informing us of this issue.

Component: OpenLDAP

CVE-ID: CAN-2004-0823

Available for: Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: A crypt password can be used as if it were a plain text password.

Description: Backwards compatibility with older LDAP implementations permits the storing of a crypt password in the userPassword attribute. Some authentication validation schemes can use this value as if it were a plain-text password. The fix removes the ambiguity and always uses this type of field as a crypt password. This issue does not occur in Mac OS X 10.2.8. Credit to Steve Revilak of Kayak Software Corporation for reporting this issue.

Component: OpenSSH

CVE-ID: CAN-2004-0175

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: A malicious ssh/scp server can overwrite local files.

Description: A directory traversal vulnerability in the scp program permits a malicious remote server to overwrite local files. The security fix was back-ported and applied to the Mac OS X versions of OpenSSH.

Component: PPPDialer

CVE-ID: CAN-2004-0824

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: A malicious user can overwrite system files resulting in a local privilege escalation.

Description: PPP components performed insecure accesses of a file stored in a world-writeable location. The fix moves the log files to a non-world-writeable location.

Component: QuickTime Streaming Server

Available for: Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

CVE-ID: CAN-2004-0825

Impact: A denial of service requiring a restart of the QuickTime Streaming Server

Description: A particular sequence of client operations can cause a deadlock on the QuickTime Streaming Server. The fix updates the code to eliminate this deadlock condition.

Component: rsync

CVE-ID: CAN-2004-0426

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: When rsync is run in daemon mode a remote attacker can write outside of the module path unless the chroot option has been set.

Description: rsync before version 2.6.1 does not properly sanitise paths when running a read/write daemon with the chroot option turned off. The fix updates rsync to version 2.6.2.

Component: Safari

CVE-ID: CAN-2004-0361

Available for: Mac OS X 10.2.8, Mac OS X Server 10.2.8

Impact: A JavaScript array of negative size can cause Safari to access out-of-bounds memory resulting in an application crash.

Description: Storing objects into a JavaScript array allocated with negative size can overwrite memory. Safari now stops processing JavaScript programs if an array allocation fails. This security enhancement was previously made available in Safari 1.0.3 and is being applied inside the Mac OS X 10.2.8 operating system as an extra layer of protection for customers who have not installed that version of Safari. This is a specific fix for Mac OS X 10.2.8 and the issue does not exist in Mac OS X 10.3 or later systems.

Component: Safari

CVE-ID: CAN-2004-0720

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: An untrusted website can inject content into a frame intended to be used by another domain.

Description: A website that uses multiple frames can have some of its frames replaced with content from a malicious site if the malicious site is visited first. The fix imposes a set of parent/child rules preventing the attack.

Component: SquirrelMail

CVE-ID: CAN-2004-0521

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements.

Description: SquirrelMail before 1.4.3 RC1 is vulnerable to SQL injection, which permits unauthorised SQL statements to be run. The fix updates SquirrelMail to version 1.4.3a

Component: tcpdump

CVE-IDs: CAN-2004-0183, CAN-2004-0184

Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

Impact: Maliciously crafted packets can cause a crash of a running tcpdump.

Description: The detailed printing functions for ISAKMP packets do not perform correct bounds checking and cause an out-of-bounds read that results in a crash. The fix updates tcpdump to version 3.8.3.

Mac OS X 10.3.5

Tip: For more information about CVE-IDs referenced below, see (http://www.cve.mitre.org/).

libpng (Portable Network Graphics)

CVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599

Impact: Malicious PNG images can cause application crashes and could execute arbitrary code.

Description: A number of buffer overflows, null pointer dereferences and integer overflows have been discovered in the reference library for reading and writing PNG images. These vulnerabilities have been corrected in libpng, which is used by the CoreGraphics and AppKit frameworks in Mac OS X. After installing this update, applications that use the PNG image format via these frameworks will be protected against these flaws.

Safari:

CVE-IDs: CAN-2004-0743

Impact: In a special situation, navigation using the forwards/backwards buttons can re-send form data to a GET URL.

Description: This is for a situation where a web form is sent to a server using a POST method which issues an HTTP redirect to a GET method URL. Using the forwards/backwards buttons will cause Safari to re-POST the form data to the GET URL. Safari has been modified so in this situation, forwards/backwards navigation will only result in a GET method. Credit to Rick Osterberg of Harvard University FAS Computer Services for reporting this issue.

TCP/IP Networking:

CVE-IDs: CAN-2004-0744

Impact: Maliciously crafted IP fragments can use too many system resources preventing normal network operation.

Description: The “Rose Attack” describes a specially constructed sequence of IP fragments designed to consume system resources. The TCP/IP implementation has been modified to limit the resources consumed and prevents this denial of service attack. Credit to Ken Hollis (gandalf@digital.net) and Chuck McAuley (chuck-at-lemure-dot-net), from a discussion about the “Rose Attack”.

Security Update 2004-08-09 (Mac OS X 10.3.4 and 10.2.8)

Tip: For more information about CVE-IDs referenced below, see (http://www.cve.mitre.org/).

libpng (Portable Network Graphics)

CVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599

Impact: Malicious PNG images can cause application crashes and could execute arbitrary code.

Description: A number of buffer overflows, null pointer dereferences and integer overflows have been discovered in the reference library for reading and writing PNG images. These vulnerabilities have been corrected in libpng, which is used by the CoreGraphics and AppKit frameworks in Mac OS X. After installing this update, applications that use the PNG image format via these frameworks will be protected against these flaws.

Security Update 2004-06-07 (Mac OS X 10.3.4 and 10.2.8)

Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. The purpose of this update is to increase security by alerting you when opening an application for the first time via document mappings or a web address (URL). Please see this article for more details, including a description of the new alert dialogue box. Security Update 2004-06-07 is available for the following system versions:

- Mac OS X 10.3.4 “Panther”

- Mac OS X Server 10.3.4 “Panther”

- Mac OS X 10.2.8 “Jaguar”

- Mac OS X Server 10.2.8 “Jaguar”

LaunchServices

CVE-ID: CAN-2004-0538

Impact: LaunchServices automatically registers applications, which could be used to cause the system to run unexpected applications.

Discussion: LaunchServices is a system component that discovers and opens applications. This system component has been modified to only open applications that have previously been explicitly run on the system. Attempts to run an application that has not previously been explicitly run will result in a user alert. Further information is available in this article.

Component: DiskImageMounter

CVE-ID: No CVE ID has been reserved as this is only an additional preventive measure.

Impact: The disk:// URL type mounts an anonymous remote file system using the http protocol.

Discussion: The registration of the disk:// URL type is removed from the system as a preventive measure against attempts to automatically mount remote disk image file systems.

Safari

CVE-ID: CAN-2004-0539

Impact: The “Show in Finder” button would open certain downloaded files, in some cases executing downloaded applications.

Discussion: The “Show in Finder” button will now reveal files in a Finder window and will no longer attempt to open them. This modification is only available for Mac OS X 10.3.4 “Panther” and Mac OS X Server 10.3.4 “Panther” systems as the issue does not apply to Mac OS X 10.2.8 “Jaguar” or Mac OS X Server 10.2.8 “Jaguar”.

Terminal

CVE-ID: Not applicable

Impact: Attempts to use a telnet:// URL with an alternate port number fail.

Discussion: A modification has been made to allow the specification of an alternate port number in a telnet:// URL. This restores functionality that was removed with the recent fix for CAN-2004-0485.

Mac OS X 10.3.4

  • NFS: Fixes CAN-2004-0513 to improve logging when tracing system calls. Credit to David Brown (dave@spoonguard.org) for reporting this issue.

  • LoginWindow: Fixes CAN-2004-0514 to improve the handling of directory services lookups.

  • LoginWindow: Fixes CAN-2004-0515 to improve the handling of console log files. Credit to aaron@vtty.com for reporting this issue.

  • Packaging: Fixes CAN-2004-0516 to improve package installation scripts. Credit to aaron@vtty.com for reporting this issue.

  • Packaging: Fixes CAN-2004-0517 to improve the handling of process IDs during package installation. Credit to aaron@vtty.com for reporting this issue.

  • TCP/IP: Fixes CAN-2004-0171 to improve the handling of out-of-sequence TCP packets.

  • AppleFileServer: Fixes CAN-2004-0518 to improve the use of SSH and reporting errors.

  • Terminal: Fixes CAN-2004-0485 to improve the handling of URLs. Credit to RenÌ© Puls (rpuls@gmx.net) for reporting this issue.

Note: Mac OS X 10.3.4 includes Security Update 2004-04-05 and Security Update 2004-05-03.

Security Update 2004-05-24 for Mac OS X 10.3.3 “Panther” and Mac OS X 10.3.3 Server

  • HelpViewer: Fixes CAN-2004-0486 to ensure HelpViewer will only process scripts that it initiated. Credit to lixlpixel Note: This update can also be installed on Mac OS X 10.3.4 and Mac OS X 10.3.4 Server

Security Update 2004-05-24 for Mac OS X 10.2.8 “Jaguar” and Mac OS X 10.2.8 Server

  • HelpViewer: Fixes CAN-2004-0486 to ensure HelpViewer will only process scripts that it initiated. Credit to lixlpixel

  • Terminal: Fixes CAN-2004-0485 to improve URL processing within Terminal. Credit to RenÌ© Puls

Security Update 2004-05-03 for Mac OS X 10.3.3 “Panther” and Mac OS X 10.3.3 Server

  • AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.

  • Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by updating to Apache 2 to version 2.0.49.

  • CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an environment variable. Credit to aaron@vtty.com for reporting this issue.

  • IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security of VPN tunnels. IPSec in Mac OS X is not vulnerable to CAN-2004-0392.

Security Update 2004-04-05 has been incorporated into this security update.

Security Update 2004-05-03 for Mac OS X 10.2.8 “Jaguar” and Mac OS X 10.2.8 Server

  • AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.

  • Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by updating to Apache 2 to version 2.0.49.

  • CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an environment variable. Credit to aaron@vtty.com for reporting this issue.

  • IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security of VPN tunnels. IPSec in Mac OS X is not vulnerable to CAN-2004-0392.

  • Server Settings daemon: Fixes CAN-2004-0429 to improve the handling of large requests.

Security Update 2004-04-05 has been incorporated into this security update.

QuickTime 6.5.1

  • Fixes CAN-2004-0431 where playing a malformed .mov (movie) file could cause QuickTime to terminate.

Security Update 2004-04-05 for Mac OS X 10.3.3 “Panther” and Mac OS X 10.3.3 Server

  • CUPS Printing: Fixes CAN-2004-0382 to improve the security of the printing system. This is a configuration file change that does not affect the underlying Printing system. Credit to aaron@vtty.com for reporting this issue.

  • libxml2: Fixes CAN-2004-0110 to improve the handling of uniform resource locators.

  • Mail: Fixes CAN-2004-0383 to improve the handling of HTML-formatted email. Credit to aaron@vtty.com for reporting this issue.

  • OpenSSL: Fixes CAN-2004-0079 and CAN-2004-0112 to improve the handling of encryption choices.

Security Update 2004-04-05 for Mac OS X 10.2.8 “Jaguar” and Mac OS X 10.2.8 Server

  • CUPS Printing: Fixes CAN-2004-0382 to improve the security of the printing system. Credit to aaron@vtty.com for reporting this issue.

Security Update 2004-01-26 has been incorporated into this security update. The additional security enhancements provided for Panther in Security Update 2004-04-05 do not affect the 10.2 platform.

Security Update 2004-02-23 for Mac OS X 10.3.2 “Panther” and Mac OS X 10.3.2 Server

  • CoreFoundation: Fixes CAN-2004-0168 to improve notification logging. Credit to aaron@vtty.com for reporting this issue.

  • DiskArbitration: Fixes CAN-2004-0167 to more securely handle the initialisation of writeable removable media. Credit to aaron@vtty.com for reporting this issue.

  • IPSec: Fixes CAN-2004-0164 to improve checking in key exchange.

  • Point-to-Point-Protocol: Fixes CAN-2004-0165 to improve the handling of error messages. Credit to Dave G. of @stake and Justin Tibbs of Secure Network Operations (SRT) for reporting this issue.

  • tcpdump: Fixes CAN-2003-0989, CAN-2004-0055 and CAN-2004-0057 by updating tcpdump to version 3.8.1 and libpcap to version 0.8.1

  • QuickTime Streaming Server: Fixes CAN-2004-0169 to improve checking of request data. Credit to iDEFENSE Labs for reporting this issue. Streaming Server updates for other platforms are available from http://developer.apple.com/darwin/.

Security Update 2004-02-23 for Mac OS X 10.2.8 “Jaguar” and Mac OS X 10.2.8 Server

  • DiskArbitration: Fixes CAN-2004-0167 to more securely handle the initialisation of writeable removable media. Credit to aaron@vtty.comfor reporting this issue.

  • IPSec: Fixes CAN-2004-0164 to improve checking in key exchange.

  • Point-to-Point-Protocol: Fixes CAN-2004-0165 to improve the handling of error messages. Credit to Dave G. of @stake and Justin Tibbs of Secure Network Operations (SRT) for reporting this issue.

  • Safari: Fixes CAN-2004-0166 to improve the display of URLs in the status bar.

  • QuickTime Streaming Server: Fixes CAN-2004-0169 to improve checking of request data. Credit to iDEFENSE Labs for reporting this issue. Streaming Server updates for other platforms are available from http://developer.apple.com/darwin/.

Security Update 2004-01-26 for Mac OS X 10.2.8 Server has been incorporated into this security update.

Security Update 2004-01-26 for Mac OS X 10.1.5 “Puma” and Mac OS X 10.1.5 Server

  • Mail: Fixes CAN-2004-0085 to deliver security enhancements to Apple’s mail application.

Security Update 2004-01-26 for Mac OS X 10.2.8 “Jaguar” and Mac OS X 10.2.8 Server

  • AFP Server: Improves AFP over the 2003-12-19 security update.

  • Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.

  • Apache 2: (Installed only on Server) Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. For details on the update, see: http://www.apache.org/dist/httpd/Announcement2.html

  • Classic: Fixes CAN-2004-0089 to improve the handling of environment variables. Credit to Dave G. of @stake for reporting this issue.

  • Mail: Fixes CAN-2004-0085 to deliver security enhancements to Apple’s mail application.

  • Safari: Fixes CAN-2004-0092 by delivering security enhancements to the Safari web browser.

  • System Configuration: Fixes CAN-2004-0087 and CAN-2004-0088 where the SystemConfiguration subsystem allowed remote non-admin users to change network setting and make configuration changes to configd. Credit to Dave G. from @stake for reporting these issues.

Security Update 2003-12-19 has been incorporated into this security update. Additional security improvements contained in Security Update 2004-01-26 for Mac OS X 10.3.2 “Panther” are not contained in this update for Jaguar as Jaguar is unaffected by these issues.

Security Update 2004-01-26 for Mac OS X 10.3.2 “Panther” and Mac OS X Server 10.3.2

  • Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.

  • Apache 2: (Installed only on Server) Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. For details on the update, see http://www.apache.org/dist/httpd/Announcement2.html.

  • Classic: Fixes CAN-2004-0089 to improve the handling of environment variables. Credit to Dave G. of @stake for reporting this issue.

  • Mail: Fixes CAN-2004-0086 to deliver security enhancements to Apple’s mail application. Credit to Jim Roepcke for reporting this issue.

  • Safari: Fixes CAN-2004-0092 by delivering security enhancements to the Safari web browser.

  • System Configuration: Fixes CAN-2004-0087 where the System Configuration subsystem allowed remote non-admin users to change network settings. Credit to Dave G. from @stake for reporting these issues.

  • Windows File Sharing: Fixes CAN-2004-0090 where Windows file sharing did not shut down properly.

  • Security Update 2003-12-19 has been incorporated into this security update. Additional security improvements contained in Security Update 2004-01-26 for Mac OS X 10.2.8 “Jaguar” are not contained in this update for Panther as Panther is unaffected by these issues.

Security Update 2003-12-19 for Mac OS X 10.2.8 “Jaguar” and Mac OS X 10.2.8 Server

  • AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

  • cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the file system utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

  • Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer’s local subnet. Further information is provided in Apple’s Knowledge Base article: http://docs.info.apple.com/article.html?artnum=32478. Credit to William A. Carrel for reporting this issue.

  • Fetchmail: Fixes CAN-2003-0792. Updates are provided to fetch mail that improve its stability under certain conditions.

  • fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

  • rsync: Addresses CAN-2003-0962 by improving the security of the rsyncserver.

  • System initialization: Fixes CAN-2003-1011. The system initialisation process has been improved to restrict root access on a system that uses a USB keyboard.

Note: The following fixes which appear in “Security Update 2003-12-19 for Panther” are not included in “Security Update 2003-12-19 for Jaguar” as the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

- CAN-2003-1005: ASN.1 Decoding for PKI

- CAN-2003-1008: Screen Saver text clippings

Security Update 2003-12-19 for Mac OS X 10.3.2 “Panther” and Mac OS X 10.3.2 Server

  • ASN.1 Decoding for PKI: Fixes CAN-2003-1005, which could cause a potential denial of service when receiving malformed ASN.1 sequences. This is related but separate from CAN-2003-0851.

  • AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

  • cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the file system utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

  • Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer’s local subnet. Further information is provided in Apple’s Knowledge Base article: http://docs.info.apple.com/article.html?artnum=32478. Credit to William A. Carrel for reporting this issue.

  • Fetchmail: Fixes CAN-2003-0792. Fetchmail is provided with updates that improve its stability under certain conditions.

  • fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

  • rsync: Addresses CAN-2003-0962 by improving the security of the rsyncserver.

  • Screen Saver: Fixes CAN-2003-1008. When the Screen Saver login window is present, it is no longer possible to write a text clipping to the desktop or an application. Credit to Benjamin Kelly for reporting this issue.

  • System initialization: Fixes CAN-2003-1011. The system initialisation process has been improved to restrict root access on a system that uses a USB keyboard.

Security Update 2003-12-05

  • Safari: Fixes CAN-2003-0975 to ensure Safari will provide access to a user’s cookie information only to authorised websites. The update is available for both Mac OS X 10.3.1 and Mac OS X 10.2.8.

Security update 2003-11-19 for 10.2.8

It is Apple’s policy to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible. Security Update 2003-11-19 includes updates to several components of Mac OS X 10.2 that meet this criteria.

  • gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4 utility. No set uid root programs relied on gm4, and this fix is a preventive measure against a possible future exploit.

  • groff: Fixes CVE-2001-1022 where the groff component pic contained a format-string vulnerability.

  • Mail: Fixes CAN-2003-0881 the Mac OS X Mail application will no longer fall back to plain text login when an account is configured to use MD5 Challenge Response.

  • OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1 sequences are now handled in a more secure manner.

  • Personal File Sharing: Fixes CAN-2003-0878 when Personal File Sharing is enabled, the slpd daemon can no longer create a root-owned file in the /tmp directory to gain elevated privileges.

  • QuickTime for Java: Fixes CAN-2003-0871 a potential vulnerability that could allow unauthorised access to a system.

  • zlib: Addresses CAN-2003-0107. While there were no functions in MacOS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.

Security Update 2003-11-19 for Panther 10.3.1

  • OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1 sequences are now handled in a more secure manner.

  • zlib: Addresses CAN-2003-0107. While there were no functions in MacOS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.

Security Update 2003-11-04

  • Terminal: Addresses CAN-2003-0913 a potential vulnerability with the Terminal application in Mac OS X 10.3 and Mac OS X Server 10.3 that could allow unauthorised access to a system. Mac OS X versions earlier than 10.3 are not affected.

Security Update 2003-10-28

  • Fixes CAN-2003-0871 a potential vulnerability in the implementation of QuickTime Java in Mac OS X 10.3 and Mac OS X Server 10.3 that could allow unauthorised access to a system.

Mac OS X 10.3 Panther

  • Finder: Fixes CAN-2003-0876 where folder permissions may not be preserved when copying a folder from a mounted volume such as a diskimage. Credit to Dave G. from @stake, Inc. for finding this issue.

  • Kernel: Fixes CAN-2003-0877 where if a system is running with core files enabled, a user with interactive shell access can overwrite arbitrary files and read core files created by root-owned processes. This may result in sensitive information such as authentication credentials being compromised. Core file creation is disabled by default on Mac OS X. Credit to Dave G.from @stake, Inc. for finding this issue.

  • slpd: Fixes CAN-2003-0878 when Personal File Sharing is enabled, the slpd daemon may create a root-owned file in the /tmp directory. This could overwrite an existing file and allow a user to gain elevated privileges. Personal File Sharing is off by default in Mac OS X. Credit to Dave G. from @stake, Inc. for finding this issue.

  • Kernel: Fixes CAN-2003-0895 where it may be possible for a local user to cause the Mac OS X kernel to crash by specifying a long command line argument. The machine will reboot on its own after several minutes. Credit to Dave G. from @stake, Inc. for finding this issue.

  • ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is enabled through the KTRACE kernel option, a local user may be able to obtain sensitive information. No specific utility is currently known to be vulnerable to this particular problem.

  • nfs: Fixes CVE-2002-0830 for the Network File System where a remote user may be able to send RPC messages that cause the system to lock up.

  • zlib: Addresses CAN-2003-0107. While there were no functions in Mac OSX that used the vulnerable gzprintf() function, the underlying issue inzlib has been fixed.

  • gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4 utility. No set uid root programs relied on gm4, and this fix is a preventive measure against a possible future exploit.

  • OpenSSH: Fixes CAN-2003-0386 where “from=” and “user@hosts” restrictions are potentially spoofable via reverse DNS for numerically specified IP addresses. Mac OS X 10.3 also incorporates prior fixes released for OpenSSH, and the version of OpenSSH as obtained via the “ssh -V” command is: OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

  • nidump: Fixes CAN-2001-1412 where the nidump utility provides access to the crypted passwords used to authenticate logins.

  • System Preferences: Fixes CAN-2003-0883 where after authenticating with an administrator password, the system will continue to allow access to secure Preference Panes for a short period of time. This could allow a local user to access Preference Panes that they would not normally be able to use. In Mac OS X 10.3 Security preferences, there is now a choice to “Require password to unlock each secure system preference”. Credit to Anthony Holder for reporting this issue.

  • TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is initialised with a constant number. This could allow a person to discover how long the system has been up based upon the ID in TCP packets. In Mac OS X 10.3, the TCP timestamp is now initialised with a random number. Credit to Aaron Linville for reporting this issue and submitting a fix via the Darwin open-source program.

  • Mail: Fixes CAN-2003-0881 in the Mac OS X Mail application, if an account is configured to use MD5 Challenge Response, it will attempt to log in using CRAM-MD5 but will silently fall back to plain text if the hashed login fails. Credit to Chris Adams for reporting this issue.

  • Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via the Keyboard pane in System Preferences, Dock functions can be accessed blindly from behind Screen Effects.

Mac OS X 10.2.8

  • OpenSSL: Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address potential issues in certain ASN.1 structures and in certificate verification code. To deliver the update in a rapid and reliable manner, only the patches for the CVE IDs listed above were applied, and not the entire latest OpenSSL library. Thus, the OpenSSL version in Mac OS X 10.2.8, as obtained via the “openssl version” command, is: OpenSSL 0.9.6i 19 Feb 2003

  • OpenSSH: Addresses CAN-2003-0693, CAN-2003-0695 and CAN-2003-0682 to fix buffer management errors in OpenSSH’s sshd versions prior to 3.7.1. To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the “ssh -V” command, is: OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f

  • sendmail: Addresses CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing.

  • fb_realpath(): Fixes CAN-2003-0466, which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code.

  • arplookup(): Fixes CAN-2003-0804. The arplookup() function caches ARP requests for routes on a local link. On a local subnet only, it is possible for an attacker to send a sufficient number of spoofed ARP requests that will exhaust kernel memory, leading to a denial of service.

For information about earlier security updates, see “Apple Security Updates: August 2003 and Earlier”.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple only provides this as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Published Date: