-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-2003.0701 -- Apple Security Advisory
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
06 October 2003
AusCERT Security Bulletin Summary
Operating System: Mac OS X
Impact: Denial of Service
Execute Arbitrary Code/Commands
Access Required: Remote
CVE Names: CAN-2003-0543, CAN-2003-0544, CAN-2003-0545,
CAN-2003-0693, CAN-2003-0695, CAN-2003-0682,
CAN-2003-0466, CAN-2003-0601, CAN-2003-0518,
CAN-2003-0694, CAN-2003-0695, CAN-2003-0681,
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
Mac OS X 10.2.8 has been re-posted, and it is updated to address
issues discovered with certain system configurations. The security
enhancements in Mac OS X 10.2.8 are identical between the first
release and the one now available.
This note describes all security enhancements in Mac OS X 10.2.8,
with the following new information:
* Security enhancements for OpenSSL (details below) have been recently
announced, and we can now disclose the presence of these enhancements
in Mac OS X 10.2.8.
* The latest release of Mac OS X 10.2.8 includes support for PowerMac
G5 systems. The initial 10.2.8 release only applied to PowerMac G4
* A Sendmail workaround for Mac OS X 10.1.x systems is described
Mac OS X 10.2.8 contains security enhancements for the following:
OpenSSL: Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address
potential issues in certain ASN.1 structures and in certificate
verification code. To deliver the update in a rapid and reliable
manner, only the patches for the CVE IDs listed above were
applied, and not the entire latest OpenSSL library. Thus, the
OpenSSL version in Mac OS X 10.2.8, as obtained via the
"openssl version" command, is: OpenSSL 0.9.6i Feb 19 2003
OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE
CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
versions prior to 10.2.8, the vulnerability is limited to a denial
of service from the possibility of causing sshd to crash. Each
login session has its own sshd, so established connections are
preserved up to the point where system resources are exhausted by
To deliver the update in a rapid and reliable manner, only the
patches for CVE IDs listed above were applied, and not the entire
set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in
Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in
the fb_realpath() function that may allow attackers to execute
arplookup(): Fixes CAN-2003-0804. The arplookup() function caches
ARP requests for routes on a local link. On a local subnet only,
it is possible for an attacker to send a sufficient number of
spoofed ARP requests which will exhaust kernel memory, leading to
a denial of service.
Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
buffer overflow in address parsing, as well as a potential buffer
overflow in ruleset parsing.
How to install Sendmail for Mac OS X 10.1.5 systems:
- - - From the UNIX command-line, perform the following steps:
1. Download sendmail version 8.12.10 which contains the fix to the
Zalewski advisory, released on 2003/09/17, by executing the following
curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz
2. Verify the integrity of this file by typing:
which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"
3. Unpack the distribution as follows:
tar xvzf sendmail.8.12.10.tar.gz
4. Add the following line to your /etc/master.passwd file:
5. Add the following line to your /etc/group file:
6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the
same smmsp user and group entries to your netinfo database. The
easiest way is to duplicate existing entries and edit them to match
the entries in steps 4 and 5. For example, in the users pane you
could select and the duplicate (%D) the entry for "www" and then edit
the uid/gid/name/home directory fields in the new "www copy" to match
those in step 4. Similarly, for groups you could select the entry for
"mail" and duplicate it, editing just the name and gid fields to match
those in step 5. When you're done, you should see a users/smmsp entry
and a groups/smmsp entry.
7. Now you're ready to start building the distribution. cd to the
sendmail-8.12.10 directory and type "make"
8. The next two steps will install the new sendmail:
sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8
sudo make install
Make sure the permissions on your root directory are 755 (or set
DontBlameSendmail in /etc/mail/sendmail.cf) and reboot. You should
now be running the patched sendmail.
Mac OS X 10.2.8 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
PowerMac G4 systems
Mac OS X Client (updating from 10.2 - 10.2.5):
The download file is named: "MacOSXUpdateCombo10.2.8.dmg"
Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82
Mac OS X Client (updating from 10.2.6 - 10.2.7):
The download file is named: "MacOSXUpdate10.2.8.dmg"
Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c
Mac OS X Server (updating from 10.2.6):
The download file is named: "MacOSXServerUpdate10.2.8.dmg"
Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36
Mac OS X Server (updating from 10.2 - 10.2.5):
The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg"
Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67
PowerMac G5 systems
Mac OS X Update (G5) v10.2.8(G5)
The download file is named: "MacOSXUpdate10.2.5.dmg"
Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac
For systems with the initial release (only) of Mac OS X 10.2.8
Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8):
The download file is named: "MacOSXUpd10.2.8.dmg"
Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e
Information will also be posted to the Apple Product Security web
This message is signed with Apple's Product Security PGP key, and
details are available at:
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----