AusCERT - ESB-2003.0867 -- APPLE-SA-2003-12-19 Security Update 2003-12-19 -- Security Update 2003-12-19 for Panther is available for Mac OS X 10.3.2 and Mac OS X Server 10.3.2.

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2003.0867 -- APPLE-SA-2003-12-19 Security Update 2003-12-19 -- Security Update 2003-12-19 for Panther is available for Mac OS X 10.3.2 and Mac OS X Server 10.3.2.
Date: 22 December 2003

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

      ESB-2003.0867 -- APPLE-SA-2003-12-19 Security Update 2003-12-19
  Security Update 2003-12-19 for Panther is available for Mac OS X 10.3.2
                        and Mac OS X Server 10.3.2.
                             22 December 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                AppleFileServer
                        ASN.1 Decoding for PKI
                        cd9660.util
                        Directory Services
                        fetchmail
                        fs_usage
                        rsync
                        Screen Saver
                        System initialization
Publisher:              Apple
Operating System:       Mac OS X
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote
CVE Names:              CAN-2003-1007 CAN-2003-1005 CAN-2003-1006
                        CAN-2003-1009 CAN-2003-0792 CAN-2003-1010
                        CAN-2003-0962 CAN-2003-1008 CAN-2003-1011
Comment: 
         Security Update 2003-12-19 for Jaguar (Mac OS X 10.2.8) may be
         obtained from:

          * Software Update pane in System Preferences

          * Apple's Software Downloads web site:
          http://www.info.apple.com/kbnum/n120291
          The download file is named: "SecurityUpd2003-12-19Jag.dmg"
          Its SHA-1 digest is: b0c5d1ef54020db7580798fddd7a1e132e653896

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-12-19 Security Update 2003-12-19 for Panther

Security Update 2003-12-19 for Panther is available for
    Mac OS X 10.3.2 and Mac OS X Server 10.3.2.

It contains security enhancements for the following:

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of
    malformed requests.

ASN.1 Decoding for PKI:  Fixes CAN-2003-1005 which could cause a
    potential denial of service when receiving malformed ASN.1
    sequences.  This is related but separate from CAN-2003-0851.

cd9660.util:  Fixes CAN-2003-1006, a buffer overflow vulnerability in
    the filesystem utility cd9660.util.
    Credit to KF of Secure Network Operations for reporting this issue.

Directory Services:  Fixes CAN-2003-1009.  The default settings are
    changed to prevent an inadvertent connection in the event of a
    malicious DHCP server on the computer's local subnet.  Further
    information is provided in Apple's Knowledge Base article:
    http://docs.info.apple.com/article.html?artnum=32478
    Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that
    improve its stability when receiving malformed messages.

fs_usage:  Fixes CAN-2003-1010. The fs_usage tool has been improved to
    prevent a local privilege escalation vulnerability.  This tool is
    used to collect system performance information and requires admin
    privileges to run.
    Credit to Dave G. of @stake for reporting this issue.

rsync:  Fixes CAN-2003-0962 by improving the security of the rsync
    server.
    
Screen Saver:  Fixes CAN-2003-1008.  When the Screen Saver login
    window is present, it is no longer possible to write a text
    clipping to the desktop or an application.
    Credit to Benjamin Kelly for reporting this issue.

System initialization:  Fixes CAN-2003-1011. The system initialization
    process has been improved to restrict root access on a system that
    uses a USB keyboard.

================================================

Security Update 2003-12-19 for Panther may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:
    http://www.info.apple.com/kbnum/n120292
    The download file is named: "SecurityUpd2003-12-19.dmg"
    Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8
    
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP+Rsp3eI0z6bzFr0AQI/MwgAqqUXmeRPg2xLQlbGiK15uDhgrcOuE27V
5fi8IvkiAWMN/qjJofG3y+crtmZwTea0Z8qvcw8EcbMRtuhqzyCu43HFTE8wFJ4w
FqmwihZQANu8IHye9tgl36CiPJvY3bYWPxd3GobAQKZp81/OIhY3H2aB79Oa3N3o
6lBPHInyLmRswlOa9s7v6wSJAK/9MXa7dwSLtaaFsVg7R8kfe4atZ0tAlc8rHAnS
k0sZq1z6hPeiXHRxFIeozwTr6P5QLZB/3YuRYLtgYudojOauV1/X4/ltsOb5Kdk/
HUdrNSZfoECPI78BecWblnsGG91Tgd20GIcTke06o0zWvZa2vXWJDg==
=3ZBF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP+Y3iCh9+71yA2DNAQG35gP/ejfmujnVUf0kpgv5vnVB/gB1/+qzgx+u
f17TbOdx/1av6rS8Pja7UFUxNxPSNH5DKa6A5sDNCvgRZ8X6IaYdkgF4k13gElDe
e2gD8WK42ShsSNGov4MrVrImGWcCVVEwafXyFFFUudvKSE0jIw0gE1TqqwBXI2b6
wBLEOQ9TAtM=
=b/nG
-----END PGP SIGNATURE-----