Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0701 -- Apple Security Advisory APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised 06 October 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSL OpenSSH Sendmail fb_realpath arplookup Publisher: Apple Operating System: Mac OS X Impact: Denial of Service Execute Arbitrary Code/Commands Reduced Security Access Required: Remote CVE Names: CAN-2003-0543, CAN-2003-0544, CAN-2003-0545, CAN-2003-0693, CAN-2003-0695, CAN-2003-0682, CAN-2003-0466, CAN-2003-0601, CAN-2003-0518, CAN-2003-0694, CAN-2003-0695, CAN-2003-0681, CAN-2003-0804 Ref: AL-2003.18 AL-2003.17 AL-2003.16 ESB-2003.0674 ESB-2003.0582 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised Mac OS X 10.2.8 has been re-posted, and it is updated to address issues discovered with certain system configurations. The security enhancements in Mac OS X 10.2.8 are identical between the first release and the one now available. ================================================ This note describes all security enhancements in Mac OS X 10.2.8, with the following new information: * Security enhancements for OpenSSL (details below) have been recently announced, and we can now disclose the presence of these enhancements in Mac OS X 10.2.8. * The latest release of Mac OS X 10.2.8 includes support for PowerMac G5 systems. The initial 10.2.8 release only applied to PowerMac G4 systems. * A Sendmail workaround for Mac OS X 10.1.x systems is described below. ================================================ Mac OS X 10.2.8 contains security enhancements for the following: OpenSSL: Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address potential issues in certain ASN.1 structures and in certificate verification code. To deliver the update in a rapid and reliable manner, only the patches for the CVE IDs listed above were applied, and not the entire latest OpenSSL library. Thus, the OpenSSL version in Mac OS X 10.2.8, as obtained via the "openssl version" command, is: OpenSSL 0.9.6i Feb 19 2003 OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack. To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is: OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code. arplookup(): Fixes CAN-2003-0804. The arplookup() function caches ARP requests for routes on a local link. On a local subnet only, it is possible for an attacker to send a sufficient number of spoofed ARP requests which will exhaust kernel memory, leading to a denial of service. Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing. ================================================ How to install Sendmail for Mac OS X 10.1.5 systems: - - - From the UNIX command-line, perform the following steps: 1. Download sendmail version 8.12.10 which contains the fix to the Zalewski advisory, released on 2003/09/17, by executing the following command: curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz 2. Verify the integrity of this file by typing: cksum sendmail.8.12.10.tar.gz which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz" 3. Unpack the distribution as follows: tar xvzf sendmail.8.12.10.tar.gz 4. Add the following line to your /etc/master.passwd file: smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false 5. Add the following line to your /etc/group file: smmsp:*:25: 6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the same smmsp user and group entries to your netinfo database. The easiest way is to duplicate existing entries and edit them to match the entries in steps 4 and 5. For example, in the users pane you could select and the duplicate (%D) the entry for "www" and then edit the uid/gid/name/home directory fields in the new "www copy" to match those in step 4. Similarly, for groups you could select the entry for "mail" and duplicate it, editing just the name and gid fields to match those in step 5. When you're done, you should see a users/smmsp entry and a groups/smmsp entry. 7. Now you're ready to start building the distribution. cd to the sendmail-8.12.10 directory and type "make" 8. The next two steps will install the new sendmail: sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8 sudo make install Make sure the permissions on your root directory are 755 (or set DontBlameSendmail in /etc/mail/sendmail.cf) and reboot. You should now be running the patched sendmail. ================================================ Mac OS X 10.2.8 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: PowerMac G4 systems =================== Mac OS X Client (updating from 10.2 - 10.2.5): http://www.info.apple.com/kbnum/n120244 The download file is named: "MacOSXUpdateCombo10.2.8.dmg" Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82 Mac OS X Client (updating from 10.2.6 - 10.2.7): http://www.info.apple.com/kbnum/n120245 The download file is named: "MacOSXUpdate10.2.8.dmg" Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c Mac OS X Server (updating from 10.2.6): http://www.info.apple.com/kbnum/n120246 The download file is named: "MacOSXServerUpdate10.2.8.dmg" Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36 Mac OS X Server (updating from 10.2 - 10.2.5): http://www.info.apple.com/kbnum/n120247 The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg" Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67 PowerMac G5 systems =================== Mac OS X Update (G5) v10.2.8(G5) http://www.info.apple.com/kbnum/n120248 The download file is named: "MacOSXUpdate10.2.5.dmg" Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac For systems with the initial release (only) of Mac OS X 10.2.8 ============================================================== Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8): http://www.info.apple.com/kbnum/n120252 The download file is named: "MacOSXUpd10.2.8.dmg" Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQEVAwUBP34ORHeI0z6bzFr0AQI54Af/Uk6ZrNYG4JHgX7cA9jU81R8q0cDCujcT srEYFtdsO0C1ktaeIPq7+rusfK06gwJbFcNdL2AWzHIHDJ61mdarO9FenrJEqx/3 A7OyA44RQQWgcvY82P9voH7nLnhqAmqXwPK+ceLr6QvwtAjV6Q67xq3iCL9Yng0e u9fE9Oq66C132XuphNecr6XidVh3bCq4c5o0WbaWmrKlnLXad3sVUBcJ+/8uT/mv eareO74u8Hadap2DPPjNFKVeTAMjuMHzryjRKUYBDzX7fhUsJVclUvcdamuEVgFO SOVrKXvmFG3Td36tcGK6MHcAicQM/AjJqbv+q+KAzJ27p0UD2GNX2A== =XmO2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP4CvpSh9+71yA2DNAQEqSAP/QKAljhYNIe2IN5X1+bp8ArbHHcnmplPV a+fuuVCmP3sLaYxpI4YwizB020QVrdsCTv3xW0VEqUqR7hOh8LIS0fH3kuljnK95 TnN0J8bOY9hj9Wl3bELRgmOscUaZy/TYSA5DUTgoC0tQxy4DUNjBlu736eYrlp8F sc3soOn3sDo= =Ggd+ -----END PGP SIGNATURE-----