Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0949 -- APPLE-SA-2005-11-29 Security Update 2005-009 30 November 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache2 apache_mod_ssl CoreFoundation curl iodbcadmintool OpenSSL passwordserver Safari sudo syslog Publisher: Apple Operating System: Mac OS X Impact: Execute Arbitrary Code/Commands Increased Privileges Inappropriate Access Cross-site Scripting Provide Misleading Information Access: Remote/Unauthenticated CVE Names: CVE-2005-3705 CVE-2005-3704 CVE-2005-3703 CVE-2005-3702 CVE-2005-3701 CVE-2005-3700 CVE-2005-3185 CVE-2005-2969 CVE-2005-2757 CVE-2005-2700 CVE-2005-2491 CVE-2005-2088 CVE-2005-1993 Original Bulletin: http://docs.info.apple.com/article.html?artnum=61798 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Re-send with corrected SHA-1 digests for download packages of Security Update 2005-009 for Mac OS X v10.4.3. No other information has been changed. Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. apache_mod_ssl CVE-ID: CVE-2005-2700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: SSL client authentication may be bypassed in certain configurations Description: The Apache web server's mod_ssl module may allow an attacker unauthorized access to a resource that is configured to require SSL client authentication. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. This update address the issue by incorporating mod_ssl 2.8.24 and Apache version 2.0.55 (Mac OS X Server). CoreFoundation CVE-ID: CVE-2005-2757 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Resolving a maliciously-crafted URL may result in crashes or arbitrary code execution Description: By carefully crafting a URL, an attacker can trigger a heap buffer overflow in CoreFoundation which may result in a crash or arbitrary code execution. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. curl CVE-ID: CVE-2005-3185 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting a malicious HTTP server and using NTLM authentication may result in arbitrary code execution Description: Using curl with NTLM authentication enabled to download an HTTP resource may allow an attacker to supply an overlong user or domain name. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. iodbcadmintool CVE-ID: CVE-2005-3700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may gain elevated privileges Description: The ODBC Administrator utility includes a helper tool called iodbcadmintool that executes with raised privileges. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. OpenSSL CVE-ID: CVE-2005-2969 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Applications using OpenSSL may be forced to use the weaker SSLv2 protocol Description: Applications that do not disable SSLv2 or that enable certain compatibility options when using OpenSSL may be vulnerable to a protocol downgrade attack. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. passwordserver CVE-ID: CVE-2005-3701 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Local users on Open Directory master servers may gain elevated privileges Description: When creating an Open Directory master server, credentials may be compromised. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. Safari CVE-ID: CVE-2005-2491 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Processing a regular expressions may result in arbitrary code execution Description: The JavaScript engine in Safari uses a version of the PCRE library that is vulnerable to a potentially exploitable heap overflow. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. Safari CVE-ID: CVE-2005-3702 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Safari may download files outside of the designated download directory Description: When files are downloaded in Safari they are normally placed in the location specified as the download directory. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. Safari CVE-ID: CVE-2005-3705 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting malicious web sites with WebKit-based applications may lead to arbitrary code execution Description: WebKit contains a heap overflow that may lead to the execution of arbitrary code. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. sudo CVE-ID: CVE-2005-1993 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may be able to gain elevated privileges in certain sudo configurations Description: Sudo allows system administrators to grant users the ability to run specific commands with elevated privileges. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. syslog CVE-ID: CVE-2005-3704 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: System log entries may be forged Description: The system log server records syslog messages verbatim. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 5b9c8a08a46487b39b9ad530147bf1795fb4ac21 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: 7fea60219c6c3e5b3b4f4ea07f01d525f4f08ad6 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.2 (Build 2425) iQEVAwUBQ4z5koHaV5ucd/HdAQLS1gf/drwZ1OTl9fYpqwmrIeBHejjI3PKjN1Do /swlyBuqy0EvBRgVRQYnmVcwNJxvOlZGa6OnWG0CzjbGNZAtpLLGStgO6VW7vuUP xOQn3xjDCO343jBi6uQigCyh4DBhDINsuIvQPldkgpkRkIM86FAYEGlrGG28wjCP vX81EoSRzLQDMDyHBnS9k0+6I2U+i+tLmepCDPH3+hxWeERhaEcUmz64WPS0oaXU yfyX67n/XvhDHnrF5fceaLw+MzZmtIGOoFYTtSK3OgIRwlcYShdh00Cxm2fMaekq ECK3MOHjcqDdCuoJTIf5r6WIJPyR8hPEjSoF3ZruIqH2BkNrsFeqXQ== =Quw1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQ40LPih9+71yA2DNAQJqHwQAinqScbkCMCYcqmFzrexMpioWHugHCAFw i0dzDQkNE11YZCDCATywYuDGbLz3/hu6QlaUyQeUYIAdEy8OMhCrgvdOYoAVz3rZ KPFGxaZPHZWmB2GCkegPvUvhowME7qJtri/trawqhpGCFB7DTDkQW0g8AIBOE+wR Jw4sMcGXoxc= =xoes -----END PGP SIGNATURE-----