Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.1013 -- [Mac][OSX]
Java Release 6 for Mac OS X 10.4
17 December 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Java
Publisher: Apple
Operating System: Mac OS X
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5862 CVE-2007-5232 CVE-2007-4381
CVE-2007-3922 CVE-2007-3698 CVE-2007-3655
CVE-2007-3504 CVE-2007-3503 CVE-2007-3005
CVE-2007-3004 CVE-2007-2789 CVE-2007-2788
CVE-2007-2435 CVE-2007-0243 CVE-2006-6745
CVE-2006-6736 CVE-2006-6731 CVE-2006-4339
Ref: ESB-2007.0597
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4
Java Release 6 for Mac OS X 10.4 is now available and addresses the
following issues:
Java
CVE-ID: CVE-2007-5862
Available for: Mac OS X v10.4.10, Mac OS X v10.4.11,
Mac OS X Server v10.4.10, Mac OS X Server v10.4.11
Impact: A malicious webpage can remove or insert keychain items
Description: An access check may be bypassed for Keychain updates. A
specially crafted Java applet may be able to add or remove items from
a user's Keychain, without prompting the user. This update addresses
the issue through an improved access check. This issue does not
affect systems running Mac OS X v10.5 and later. Credit to Bruno
Harbulot of the University of Manchester for reporting this issue.
Java
CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6745,
CVE-2007-0243, CVE-2007-2435, CVE-2007-3004, CVE-2007-3005,
CVE-2007-3504, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381,
CVE-2007-5232
Available for: Mac OS X v10.4.10, Mac OS X v10.4.11,
Mac OS X Server v10.4.10, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities exist in Java 1.4
Description: Multiple vulnerabilities exist in Java 1.4, the most
serious of which may lead to arbitrary code execution and privilege
escalation. These are addressed by updating Java 1.4 to version
1.4.2_16. These issues are already addressed in systems running Mac
OS X v10.5 and later.
Java
CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6745, CVE-2007-0243,
CVE-2007-2435, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004,
CVE-2007-3005, CVE-2007-3503, CVE-2007-3504, CVE-2007-3655,
CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232
Available for: Mac OS X v10.4.10, Mac OS X v10.4.11,
Mac OS X Server v10.4.10, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities exist in J2SE 5.0
Description: Multiple vulnerabilities exist in J2SE 5.0, the most
serious of which may lead to arbitrary code execution and privilege
escalation. These are addressed by updating J2SE 5.0 to version
1.5.0_13. These issues are already addressed in systems running Mac
OS X v10.5 and later.
Java Release 6 may be obtained from the Software Update pane in
System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.10 and Mac OS X v10.4.11
The download file is named: "JavaForMacOSX10.4Release6.dmg"
Its SHA-1 digest is: ee4e261070354b0f95f88a92a1b00f8cf39886c4
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867
wsBVAwUBR2LK18gAoqu4Rp5tAQgG8gf/UCD9npaJL3to97F+On2L7AUmEXgKh7N0
mrT0GErNHmUiXaLHrAJ5GH2e/SYVGpfV9PlyV2iNAx4d1lXhM0hXAwINZfTDy0nm
ZpBBvwRjWeZSRaJk6saM0vIYt+tCQMREFR7m5qBrnteo2wA3bUuFBZmwJMyWz3ls
boTozFrbr9mDzk/mTnTxHvEDZAAEbH21aqyZPEuFK8FwGbrCffIKl+EmUPiMxjhe
SxqUl4eGep+WcwosOdsxqwlo9ia9UcO21zGlgr75Ibu5W/xvoHO+yAHHufm6CI4b
JpU3/tDvdyPUMFDJayNik622GlbZUNEIfDoasOfKPiyHv93gCValtg==
=CNOz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR2XDsCh9+71yA2DNAQLm4AP7BQ3vVCqN4iZ53HpVA2ZQV0P8yXJbl7fh
JyjKChwAYOMIQbgstALfDbUa5ryEuR+gXIxNUbKm5MKww9ZtEIGiCWTNLbgajAaj
mgescvcQ/G0LeZiHdaWlEpACdT292accJOSVwbhlphx/G9PSV1VJhd4g8h4xjdAB
NaU2gB+bsyE=
=t2Be
-----END PGP SIGNATURE-----