Posted on 01/25/2005 7:57:15 PM PST by Swordmaker
About Security Update 2005-001 for Mac OS X
This document describes Security Update 2005-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Security Update 2005-001
Component: at commandsAvailable for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
CVE-ID: CAN-2005-0125
Impact: Updates the "at" commands to address a local privilege escalation vulnerability
Description: The "at" family of commands did not properly drop privileges. This could allow a local user to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files. This update patches the commands at, atrm, batch, atq, and atrun. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue.
Component: ColorSync
Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2005-0126
Impact: Malformed ICC color profiles could overwrite the program heap, resulting in arbitrary code execution.
Description: An out-of-specification or improperly embedded ICC color profile could overwrite the program heap and allow arbitrary code execution. There are no known exploits for this issue. With this update, ColorSync will reject incorrectly-formed ICC color profiles.
Component: libxml2
Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
CVE-ID: CAN-2004-0989
Impact: The libxml2 library contains unsafe code that may be exploited in applications linked against it.
Description: This update fixes several functions in the libxml2 library that have been identified as unsafe due to potentially exploitable buffer overflows.
Component: Mail
Available for: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7
CVE-ID: CAN-2005-0127
Impact: Email messages sent from a single machine can be identified
Description: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Mail now hides this information by computing the Message-ID using a cryptographic hash of the GUUID concatenated with data from /dev/random. Credit to Carl Purvis for reporting this issue.
Component: PHP
Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2003-0860, CAN-2003-0863, CAN-2004-0594, CAN-2004-0595, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065
Impact: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code
Description: PHP is updated to version 4.3.10 to address several issues. The PHP release announcement for version 4.3.10 is located at http://www.php.net/release_4_3_10.php.
Component: Safari
Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1314
Impact: When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site
Description: If the "Block Pop-Up Windows" feature is enabled, then this issue does not occur. If the "Block Pop-Up Windows" feature is not enabled, a user can be mislead about the content of a Pop-up window if they used an untrusted link to navigate to a site they wanted to view. This update corrects the issue regardless of the "Block Pop-Up Windows" setting. Credit to Secunia Research for reporting this issue.
Component: SquirrelMail
Available for: Mac OS X Server 10.3.7
CVE-ID: CAN-2004-1036
Impact: SquirrelMail is updated to address a cross-site scripting vulnerability
Description: A cross-site scripting vulnerability in SquirrelMail allowed email messages to contain content that would be rendered by a user's web browser. SquirrelMail is updated to address this issue. Further details are available from the SquirrelMail website: http://www.squirrelmail.org/.
ALL Freeper OSX users should run their "SOFTWARE UPDATE" on the Apple menu immediately PING!!!
Users of DU who are lurking and sneaking around here should do the same.
If you want to be included or excluded from the Mac Ping List,
Here is some more grist for your mill, Bush... Apple OSX security updates.
Thanks...just got home, this was the first I heard of it.
Nevermind. i don't want to spread newbie confusion with that link. I just clicked on software update and got everything I wanted. thanks for the important ping.
That PHP bug looks like a doozy - the rest appear somewhat less serious.
It was a good link... but you're right about confusing newbies... and there are going to be a lot of them this week.
I was at the Sacramento Apple Store today. They sold out every Mac Mini they got in just 3 hours Saturday. That was several hundred. More are coming in Friday, but the salesgal thought they were all reserved.
They also sold every iPod Shuffle...
Here is the info from PHP's website.
Wow that's incredible.
Thanks...will install
Thanks for the "heads-Up". Luckly,These are few & far between.
DONE!
Thanks Swordmaker, and Cyborg
Thanks for the heads up.
I certainly appreciate being on your ping list!
Thanks for the heads up!
Hi Swordmaker,
I'm on OSX 1.10. The update is only available for 1.3. Do I need it on the 1.10?
Use Software Update from your Preferences Window... it will download and install the updates that OSX.1.10 needs or can use from what's available.
***Use Software Update from your Preferences Window... it will download and install the updates that OSX.1.10 needs or can use from what's available.***
You are such a gem! I'm a complete nerd when it comes to Mac after using Windows for many, many years.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.