Date: 06 October 2003
References: ESB-2003.0582 ESB-2003.0674
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0701 -- Apple Security Advisory
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
06 October 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
OpenSSH
Sendmail
fb_realpath
arplookup
Publisher: Apple
Operating System: Mac OS X
Impact: Denial of Service
Execute Arbitrary Code/Commands
Reduced Security
Access Required: Remote
CVE Names: CAN-2003-0543, CAN-2003-0544, CAN-2003-0545,
CAN-2003-0693, CAN-2003-0695, CAN-2003-0682,
CAN-2003-0466, CAN-2003-0601, CAN-2003-0518,
CAN-2003-0694, CAN-2003-0695, CAN-2003-0681,
CAN-2003-0804
Ref: AL-2003.18
AL-2003.17
AL-2003.16
ESB-2003.0674
ESB-2003.0582
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
Mac OS X 10.2.8 has been re-posted, and it is updated to address
issues discovered with certain system configurations. The security
enhancements in Mac OS X 10.2.8 are identical between the first
release and the one now available.
================================================
This note describes all security enhancements in Mac OS X 10.2.8,
with the following new information:
* Security enhancements for OpenSSL (details below) have been recently
announced, and we can now disclose the presence of these enhancements
in Mac OS X 10.2.8.
* The latest release of Mac OS X 10.2.8 includes support for PowerMac
G5 systems. The initial 10.2.8 release only applied to PowerMac G4
systems.
* A Sendmail workaround for Mac OS X 10.1.x systems is described
below.
================================================
Mac OS X 10.2.8 contains security enhancements for the following:
OpenSSL: Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address
potential issues in certain ASN.1 structures and in certificate
verification code. To deliver the update in a rapid and reliable
manner, only the patches for the CVE IDs listed above were
applied, and not the entire latest OpenSSL library. Thus, the
OpenSSL version in Mac OS X 10.2.8, as obtained via the
"openssl version" command, is: OpenSSL 0.9.6i Feb 19 2003
OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE
CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
versions prior to 10.2.8, the vulnerability is limited to a denial
of service from the possibility of causing sshd to crash. Each
login session has its own sshd, so established connections are
preserved up to the point where system resources are exhausted by
an attack.
To deliver the update in a rapid and reliable manner, only the
patches for CVE IDs listed above were applied, and not the entire
set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in
Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
0x0090609f
fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in
the fb_realpath() function that may allow attackers to execute
arbitrary code.
arplookup(): Fixes CAN-2003-0804. The arplookup() function caches
ARP requests for routes on a local link. On a local subnet only,
it is possible for an attacker to send a sufficient number of
spoofed ARP requests which will exhaust kernel memory, leading to
a denial of service.
Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
buffer overflow in address parsing, as well as a potential buffer
overflow in ruleset parsing.
================================================
How to install Sendmail for Mac OS X 10.1.5 systems:
- - - From the UNIX command-line, perform the following steps:
1. Download sendmail version 8.12.10 which contains the fix to the
Zalewski advisory, released on 2003/09/17, by executing the following
command:
curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz
2. Verify the integrity of this file by typing:
cksum sendmail.8.12.10.tar.gz
which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"
3. Unpack the distribution as follows:
tar xvzf sendmail.8.12.10.tar.gz
4. Add the following line to your /etc/master.passwd file:
smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false
5. Add the following line to your /etc/group file:
smmsp:*:25:
6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the
same smmsp user and group entries to your netinfo database. The
easiest way is to duplicate existing entries and edit them to match
the entries in steps 4 and 5. For example, in the users pane you
could select and the duplicate (%D) the entry for "www" and then edit
the uid/gid/name/home directory fields in the new "www copy" to match
those in step 4. Similarly, for groups you could select the entry for
"mail" and duplicate it, editing just the name and gid fields to match
those in step 5. When you're done, you should see a users/smmsp entry
and a groups/smmsp entry.
7. Now you're ready to start building the distribution. cd to the
sendmail-8.12.10 directory and type "make"
8. The next two steps will install the new sendmail:
sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8
sudo make install
Make sure the permissions on your root directory are 755 (or set
DontBlameSendmail in /etc/mail/sendmail.cf) and reboot. You should
now be running the patched sendmail.
================================================
Mac OS X 10.2.8 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
PowerMac G4 systems
===================
Mac OS X Client (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120244
The download file is named: "MacOSXUpdateCombo10.2.8.dmg"
Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82
Mac OS X Client (updating from 10.2.6 - 10.2.7):
http://www.info.apple.com/kbnum/n120245
The download file is named: "MacOSXUpdate10.2.8.dmg"
Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c
Mac OS X Server (updating from 10.2.6):
http://www.info.apple.com/kbnum/n120246
The download file is named: "MacOSXServerUpdate10.2.8.dmg"
Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36
Mac OS X Server (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120247
The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg"
Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67
PowerMac G5 systems
===================
Mac OS X Update (G5) v10.2.8(G5)
http://www.info.apple.com/kbnum/n120248
The download file is named: "MacOSXUpdate10.2.5.dmg"
Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac
For systems with the initial release (only) of Mac OS X 10.2.8
==============================================================
Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8):
http://www.info.apple.com/kbnum/n120252
The download file is named: "MacOSXUpd10.2.8.dmg"
Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP34ORHeI0z6bzFr0AQI54Af/Uk6ZrNYG4JHgX7cA9jU81R8q0cDCujcT
srEYFtdsO0C1ktaeIPq7+rusfK06gwJbFcNdL2AWzHIHDJ61mdarO9FenrJEqx/3
A7OyA44RQQWgcvY82P9voH7nLnhqAmqXwPK+ceLr6QvwtAjV6Q67xq3iCL9Yng0e
u9fE9Oq66C132XuphNecr6XidVh3bCq4c5o0WbaWmrKlnLXad3sVUBcJ+/8uT/mv
eareO74u8Hadap2DPPjNFKVeTAMjuMHzryjRKUYBDzX7fhUsJVclUvcdamuEVgFO
SOVrKXvmFG3Td36tcGK6MHcAicQM/AjJqbv+q+KAzJ27p0UD2GNX2A==
=XmO2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP4CvpSh9+71yA2DNAQEqSAP/QKAljhYNIe2IN5X1+bp8ArbHHcnmplPV
a+fuuVCmP3sLaYxpI4YwizB020QVrdsCTv3xW0VEqUqR7hOh8LIS0fH3kuljnK95
TnN0J8bOY9hj9Wl3bELRgmOscUaZy/TYSA5DUTgoC0tQxy4DUNjBlu736eYrlp8F
sc3soOn3sDo=
=Ggd+
-----END PGP SIGNATURE-----
|