AUSCERT External Security Bulletin Redistribution

                 ESB-2003.0701 -- Apple Security Advisory
                APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
                              06 October 2003


        AusCERT Security Bulletin Summary

Product:                OpenSSL
Publisher:              Apple
Operating System:       Mac OS X
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
                        Reduced Security
Access Required:        Remote
CVE Names:              CAN-2003-0543, CAN-2003-0544, CAN-2003-0545,
                        CAN-2003-0693, CAN-2003-0695, CAN-2003-0682,
                        CAN-2003-0466, CAN-2003-0601, CAN-2003-0518,
                        CAN-2003-0694, CAN-2003-0695, CAN-2003-0681,

Ref:                    AL-2003.18

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised

Mac OS X 10.2.8 has been re-posted, and it is updated to address
issues discovered with certain system configurations.  The security
enhancements in Mac OS X 10.2.8 are identical between the first
release and the one now available.


This note describes all security enhancements in Mac OS X 10.2.8,
with the following new information:

* Security enhancements for OpenSSL (details below) have been recently
announced, and we can now disclose the presence of these enhancements
in Mac OS X 10.2.8.

* The latest release of Mac OS X 10.2.8 includes support for PowerMac
G5 systems. The initial 10.2.8 release only applied to PowerMac G4

* A Sendmail workaround for Mac OS X 10.1.x systems is described


Mac OS X 10.2.8 contains security enhancements for the following:

OpenSSL:  Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address
    potential issues in certain ASN.1 structures and in certificate
    verification code. To deliver the update in a rapid and reliable
    manner, only the patches for the CVE IDs listed above were
    applied, and not the entire latest OpenSSL library. Thus, the
    OpenSSL version in Mac OS X 10.2.8, as obtained via the
    "openssl version" command, is:  OpenSSL 0.9.6i Feb 19 2003

OpenSSH:  Mac OS X 10.2.8 contains the patches to address CVE
    CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
    versions prior to 10.2.8, the vulnerability is limited to a denial
    of service from the possibility of causing sshd to crash. Each
    login session has its own sshd, so established connections are
    preserved up to the point where system resources are exhausted by
    an attack.

    To deliver the update in a rapid and reliable manner, only the
    patches for CVE IDs listed above were applied, and not the entire
    set of patches for OpenSSH 3.7.1.  Thus, the OpenSSH version in
    Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
       OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL

fb_realpath():  Fixes CAN-2003-0466 which is an off-by-one error in
    the fb_realpath() function that may allow attackers to execute
    arbitrary code.

arplookup():  Fixes CAN-2003-0804.  The arplookup() function caches
    ARP requests for routes on a local link.  On a local subnet only,
    it is possible for an attacker to send a sufficient number of
    spoofed ARP requests which will exhaust kernel memory, leading to
    a denial of service.

Sendmail:  Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
    buffer overflow in address parsing, as well as a potential buffer
    overflow in ruleset parsing.

How to install Sendmail for Mac OS X 10.1.5 systems:

- - - From the UNIX command-line, perform the following steps:

1. Download sendmail version 8.12.10 which contains the fix to the
Zalewski advisory, released on 2003/09/17, by executing the following
curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz

2. Verify the integrity of this file by typing:
cksum sendmail.8.12.10.tar.gz
which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"

3. Unpack the distribution as follows:
tar xvzf sendmail.8.12.10.tar.gz

4. Add the following line to your /etc/master.passwd file:
smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false

5.  Add the following line to your /etc/group file:

6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the
same smmsp user and group entries to your netinfo database.  The
easiest way is to duplicate existing entries and edit them to match
the entries in steps 4 and 5.  For example, in the users pane you
could select and the duplicate (%D) the entry for "www" and then edit
the uid/gid/name/home directory fields in the new "www copy" to match
those in step 4.  Similarly, for groups you could select the entry for
"mail" and duplicate it, editing just the name and gid fields to match
those in step 5.  When you're done, you should see a users/smmsp entry
and a groups/smmsp entry.

7.  Now you're ready to start building the distribution.  cd to the
sendmail-8.12.10 directory and type "make"

8.  The next two steps will install the new sendmail:

sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8
sudo make install

Make sure the permissions on your root directory are 755 (or set
DontBlameSendmail in /etc/mail/sendmail.cf) and reboot.  You should
now be running the patched sendmail.


Mac OS X 10.2.8 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:

    PowerMac G4 systems
    Mac OS X Client (updating from 10.2 - 10.2.5):
    The download file is named: "MacOSXUpdateCombo10.2.8.dmg"
    Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82

    Mac OS X Client (updating from 10.2.6 - 10.2.7):
    The download file is named: "MacOSXUpdate10.2.8.dmg"
    Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c

    Mac OS X Server (updating from 10.2.6):
    The download file is named: "MacOSXServerUpdate10.2.8.dmg"
    Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36

    Mac OS X Server (updating from 10.2 - 10.2.5):
    The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg"
    Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67
    PowerMac G5 systems
    Mac OS X Update (G5) v10.2.8(G5)
    The download file is named: "MacOSXUpdate10.2.5.dmg"
    Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac

    For systems with the initial release (only) of Mac OS X 10.2.8
    Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8):
    The download file is named: "MacOSXUpd10.2.8.dmg"
    Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e
Information will also be posted to the Apple Product Security web

This message is signed with Apple's Product Security PGP key, and
details are available at:

Version: PGP 8.0.2


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967