Security update 2004-12-02

Discussion in 'Apple' started by Michelle Steiner, Dec 2, 2004.

  1. Security Update 2004-12-02 delivers a number of security enhancements
    and is recommended for all Macintosh users. This update includes the
    following components:

    Apache
    AppKit
    HIToolbox
    Kerberos
    Postfix
    PSNormalizer
    Safari
    Terminal


    For detailed information on this Update, please visit this website:
    http://www.info.apple.com/kbnum/n61798

    Security Update 2004-12-02
    ? Apache
    Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1082
    Impact: Apache mod_digest_apple authentication is vulnerable to replay
    attacks.
    Description: The Mac OS X Server specific mod_digest_apple is based on
    Apache's mod_digest. Multiple corrections for a replay problem in
    mod_digest were made in versions 1.3.31 and 1.3.32 of Apache
    (CAN-2003-0987). This update corrects the replay problem in
    mod_digest_apple authentication using the modifications made to Apache
    1.3.32.


    ? Apache
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2003-0020, CAN-2003-0987, CAN-2004-0174, CAN-2004-0488,
    CAN-2004-0492, CAN-2004-0885, CAN-2004-0940
    Impact: Multiple vulnerabilities in Apache and mod_ssl including local
    privilege escalation, remote denial of service and in some modified
    configurations execution of arbitrary code.
    Description: The Apache Group fixed a number of vulnerabilities between
    versions 1.3.29 and 1.3.33. The Apache Group security page for Apache
    1.3 is located at http://www.apacheweek.com/features/security-13. The
    previously installed version of Apache was 1.3.29. The default
    installation of Apache does not enable mod_ssl. This update fixes all of
    applicable issues by updating Apache to version 1.3.33 and the companion
    mod_ssl to version 2.8.22.


    ? Apache
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1083
    Impact: Apache configurations did not fully block access to ".DS_Store"
    files or those starting with ".ht".
    Description: A default Apache configuration blocks access to files
    starting with ".ht" in a case sensitive way. The Apple HFS+ filesystem
    performs file access in a case insensitive way. The Finder may also
    create .DS_Store files containing the names of files in locations used
    to serve web pages. This update modifies the Apache configuration to
    restricts access to all files beginning with ".ht" or ".DS_S" regardless
    of capitalization. More...


    ? Apache
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1084
    Impact: File data and resource fork content can be retrieved via HTTP
    bypassing normal Apache file handlers.
    Description: The Apple HFS+ filesystem permits files to have multiple
    data streams. These data streams can be directly accessed using special
    filenames. A specially crafted HTTP request can bypass an Apache file
    handler and directly access file data or resource fork content. This
    update modifies the Apache configuration to deny requests for file data
    or resource fork content via their special filenames. For more
    information, see this document. Credit to NetSec for reporting this
    issue.


    ? Apache 2
    Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-0747, CAN-2004-0786, CAN-2004-0751, CAN-2004-0748
    Impact: Modified Apache 2 configurations could permit a privilege
    escalation for local users and remote denial of service.
    Description: A customer-modified Apache 2 configuration, where
    AllowOverride has been enabled, could permit a local user to execute
    arbitrary code as the Apache (www) user. An unmodified configuration is
    not vulnerable to this problem. This update also addresses bugs in
    Apache that could allow certain types of requests to crash the server.
    Apache is updated to version 2.0.52. Apache 2 ships only with Mac OS X
    Server, and is off by default.


    ? Appkit
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1081
    Impact: Characters entered into a secure text field can be read by
    other applications in the same window session
    Description: In some circumstances a secure text input field will not
    correctly enable secure input. This can allow other applications in the
    same window session to see some input characters and keyboard events.
    Input to secure text fields is now enabled in a way to prevent the
    leakage of key press information.


    ? Appkit
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-0803, CAN-2004-0804, CAN-2004-0886
    Impact: Integer overflows and poor range checking in tiff handling
    could allow to execution of arbitrary code or denial of service.
    Description: Flaws in decoding tiff images could overwrite memory,
    cause arithmetic errors resulting in a crash, or permit the execution of
    arbitrary code. This update corrects the problems in the handling of
    tiff images.


    ? Cyrus IMAP
    Available for: Mac OS X Server v10.3.6
    CVE-ID: CAN-2004-1089
    Impact: When using Kerberos authentication with Cyrus IMAP an
    authenticated user could gain unauthorized access to other mailboxes on
    the same system.
    Description: When using the Kerberos authentication mechanism with the
    Cyrus IMAP server a user could switch mailboxes after authenticating and
    gain access to other mailboxes on the same system. This update binds the
    mailbox to the authenticated user. This server-specific issue is not
    present in Mac OS X Server v10.2.8. Credit to
    for reporting this issue.


    ? HIToolbox
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
    CVE-ID: CAN-2004-1085
    Impact: Users can quit applications in kiosk mode
    Description: A special key combination allowed users to bring up the
    force quit window even in kiosk mode. This update will block all
    force-quit key combinations not to work while in kiosk mode. This issue
    is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to
    Glenn Blauvelt of University of Colorado at Boulder for reporting this
    issue.


    ? Kerberos
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772
    Impact: Exposure to a potential denial of service when Kerberos
    authentication is used
    Description: MIT has released a new version of Kerberos that addresses
    a denial of service and three double free errors. Mac OS X contains
    protection against double free errors. This update applies the fix for
    the denial of service problem. As a precautionary measure the double
    free patches have also been applied. Credit to the MIT Kerberos
    Development Team for reporting this issue and providing fixes.


    ? Postfix
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
    CVE-ID: CAN-2004-1088
    Impact: Postfix using CRAM-MD5 may allow a remote user to send mail
    without properly authenticating.
    Description: Postfix servers using CRAM-MD5 to authenticate senders
    were vulnerable to a replay attack. Under some circumstances, the
    credentials used to successfully authenticate a user could be re-used
    for a small time period. The CRAM-MD5 algorithm used to authenticate
    users has been updated to prevent the replay window. This issue is not
    present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Victor
    Duchovni of Morgan Stanley for reporting this issue.


    ? PSNormalizer
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
    CVE-ID: CAN-2004-1086
    Impact: A buffer overflow in PostScript to PDF conversion could allow
    execution of arbitrary code.
    Description: A buffer overflow in the handling of PostScript to PDF
    conversion could potentially allow the execution of arbitrary code. This
    updates corrects the PostScript to PDF conversion code to prevent the
    buffer overflow. This issue is not present in Mac OS X v10.2.8 or Mac OS
    X Server v10.2.8.


    ? QuickTime Streaming Server
    Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1123
    Impact: Specially crafted requests could cause a denial of service.
    Description: QuickTime Streaming Server was vulnerable to a denial of
    service attack when handling DESCRIBE requests. This update corrects the
    handling of these requests. Credit to iDEFENSE for reporting this issue.


    ? Safari
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1121
    Impact: Specially crafted HTML can display a misleading URI the Safari
    status bar.
    Description: Safari could be tricked into displaying a URI in its
    status bar that was not the same as the destination of a link. This
    update corrects Safari so that it now displays the URI that will be
    activated when selected.


    ? Safari
    Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X
    v10.2.8, Mac OS X Server v10.2.8
    CVE-ID: CAN-2004-1122
    Impact: With multiple browser windows active Safari users could be
    mislead about which window activated a pop-up window.
    Description: When multiple Safari windows are open, a carefully timed
    pop-up could mislead a user into thinking it was activated by a
    different site. In this update Safari now places a window that activates
    a pop-up in front of all other browser windows. Credit to Secunia
    Research for reporting this issue.


    ? Terminal
    Available for: Mac OS X v10.3.6 and Mac OS X Server v10.3.6
    CVE-ID: CAN-2004-1087
    Impact: Terminal may indicate that 'Secure Keyboard Entry' is active
    when it is not.
    Description: The 'Secure Keyboard Entry' menu setting was not properly
    restored when launching Terminal.app. A check mark would be displayed
    next to 'Secure Keyboard Entry' even though it was not enabled. This
    update fixes the behavior of the 'Secure Keyboard Entry'. This issue is
    not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to
    Jonathan 'Wolf' Rentzsch of Red Shed Software for reporting this issue.


    iCal 1.5.4

    CVE-ID: CAN-2004-1021
    Impact: New iCal calendars may add alarms without approval.
    Description: iCal calendars may include notification of events via
    alarms. These alarms may open programs and send e-mail. iCal has been
    updated to show an alert window when importing or opening calendars
    containing alarms. iCal 1.5.4 is available for Mac OS X 10.2.3 or later.
    Credit to for reporting this issue.
     
    Michelle Steiner, Dec 2, 2004
    #1
    1. Advertisements

  2. Michelle Steiner

    M-M Guest

    Thanks for the heads-up.

    Time to change your x-face. You lost.

    m-m
     
    M-M, Dec 3, 2004
    #2
    1. Advertisements


  3. We all lost, but some of us haven't realized it yet. There's still time
    to impeach the little bastard.

    ObMacContent: eh, why bother.
     
    richard schumacher, Dec 3, 2004
    #3
  4. Depends. What about the right to express a pro-Bush one?
     
    Keeper of the Purple Twilight, Dec 3, 2004
    #4
  5. So far...
     
    Keeper of the Purple Twilight, Dec 3, 2004
    #5
  6. Michelle Steiner

    M-M Guest

    Impeach? HA!

    Earth to richard schumacher...

    m-m
     
    M-M, Dec 3, 2004
    #6
  7. Michelle Steiner

    Bev A. Kupf Guest

    No, the United States of America did.
     
    Bev A. Kupf, Dec 3, 2004
    #7
  8. Security update completed, rebooted, no problem mon.
     
    richard schumacher, Dec 3, 2004
    #8
  9. Michelle Steiner

    Tim McNamara Guest

    Why not? If Bill Clinton can be impeached for lying about a blowjob,
    George W. Bush can be impeached for starting a war based on lies and
    costing upwards of 130,000 lives, being an economic nincompoop and
    creating the most massive deficit spending in human history, and
    generally lying to the American people at every turn and failing to
    uphold his oath of office.

    But fortunately for George, the Republican majority in Congress is in
    cahoots with him and the Democrats are idiots. So he's safe from
    impeachment for at least two years. Two years after that and it'll be
    President Schwarzenegger's turn.
     
    Tim McNamara, Dec 3, 2004
    #9
  10. Michelle Steiner

    Mike Guest

    No, the minority lost. The majority won. Get over it already.

    Mike
     
    Mike, Dec 3, 2004
    #10
  11. The X-face remains. That guy needs to be impeached for the sake of the
    nation and of the world.
     
    Michelle Steiner, Dec 3, 2004
    #11
  12. It would take a constitutional amendment for him to be eligible to be
    president.
     
    Michelle Steiner, Dec 3, 2004
    #12
  13. Michelle Steiner

    M-M Guest

    M-M, Dec 3, 2004
    #13
  14. Michelle Steiner, Dec 3, 2004
    #14
  15. Michelle Steiner

    M-M Guest


    Fighting back? You already lost- the fight is over. You'd be better off
    trying to win the hearts and minds of those who you turned off in the
    last election.

    An angry attitude is not the way to do it.

    m-m
     
    M-M, Dec 3, 2004
    #15
  16. Michelle Steiner

    Eric Johnson Guest

    See what I mean, Michelle?

    You just can't give it a rest, no can you?

    You are a vitrio-holic.

    ej
     
    Eric Johnson, Dec 3, 2004
    #16
  17. Michelle Steiner

    Eric Johnson Guest


    No, were just sick of the election bitterness and want to play with our
    Mac's on this newsgroup.

    Michelle doesn't seem to think clubbing everyone with her opinion in
    inappropriate places and times is not utterly rude and uncivilized.

    She is wrong, however.

    ej
     
    Eric Johnson, Dec 3, 2004
    #17
  18. Michelle Steiner

    Eric Johnson Guest


    That does not exist unless you want to receive the wrath of Michelle
    Steiner.

    Pretty soon she'll label you as some sort of creature bent on the
    destruction of freedom and the imposition of Nazism.

    Just wait for it.

    ej
     
    Eric Johnson, Dec 3, 2004
    #18
  19. Michelle Steiner

    Eric Johnson Guest


    You haven't followed Michelle Steiner closely enough then.

    But, hell, she'd just as soon have you killed as entertain the idea of
    asking someone politely to remove a pro-bush statement.

    ej
     
    Eric Johnson, Dec 3, 2004
    #19
  20. Michelle Steiner

    Eric Johnson Guest


    No, John Kerry did. Period.

    Also Anti-bush radicals lost.

    But America is unharmed by elections.

    ej
     
    Eric Johnson, Dec 3, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.