Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.1013 -- [Mac][OSX] Java Release 6 for Mac OS X 10.4 17 December 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Java Publisher: Apple Operating System: Mac OS X Impact: Execute Arbitrary Code/Commands Increased Privileges Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2007-5862 CVE-2007-5232 CVE-2007-4381 CVE-2007-3922 CVE-2007-3698 CVE-2007-3655 CVE-2007-3504 CVE-2007-3503 CVE-2007-3005 CVE-2007-3004 CVE-2007-2789 CVE-2007-2788 CVE-2007-2435 CVE-2007-0243 CVE-2006-6745 CVE-2006-6736 CVE-2006-6731 CVE-2006-4339 Ref: ESB-2007.0597 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4 Java Release 6 for Mac OS X 10.4 is now available and addresses the following issues: Java CVE-ID: CVE-2007-5862 Available for: Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10, Mac OS X Server v10.4.11 Impact: A malicious webpage can remove or insert keychain items Description: An access check may be bypassed for Keychain updates. A specially crafted Java applet may be able to add or remove items from a user's Keychain, without prompting the user. This update addresses the issue through an improved access check. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Bruno Harbulot of the University of Manchester for reporting this issue. Java CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-3004, CVE-2007-3005, CVE-2007-3504, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232 Available for: Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities exist in Java 1.4 Description: Multiple vulnerabilities exist in Java 1.4, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating Java 1.4 to version 1.4.2_16. These issues are already addressed in systems running Mac OS X v10.5 and later. Java CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005, CVE-2007-3503, CVE-2007-3504, CVE-2007-3655, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232 Available for: Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities exist in J2SE 5.0 Description: Multiple vulnerabilities exist in J2SE 5.0, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating J2SE 5.0 to version 1.5.0_13. These issues are already addressed in systems running Mac OS X v10.5 and later. Java Release 6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.10 and Mac OS X v10.4.11 The download file is named: "JavaForMacOSX10.4Release6.dmg" Its SHA-1 digest is: ee4e261070354b0f95f88a92a1b00f8cf39886c4 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: 9.7.0.867 wsBVAwUBR2LK18gAoqu4Rp5tAQgG8gf/UCD9npaJL3to97F+On2L7AUmEXgKh7N0 mrT0GErNHmUiXaLHrAJ5GH2e/SYVGpfV9PlyV2iNAx4d1lXhM0hXAwINZfTDy0nm ZpBBvwRjWeZSRaJk6saM0vIYt+tCQMREFR7m5qBrnteo2wA3bUuFBZmwJMyWz3ls boTozFrbr9mDzk/mTnTxHvEDZAAEbH21aqyZPEuFK8FwGbrCffIKl+EmUPiMxjhe SxqUl4eGep+WcwosOdsxqwlo9ia9UcO21zGlgr75Ibu5W/xvoHO+yAHHufm6CI4b JpU3/tDvdyPUMFDJayNik622GlbZUNEIfDoasOfKPiyHv93gCValtg== =CNOz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR2XDsCh9+71yA2DNAQLm4AP7BQ3vVCqN4iZ53HpVA2ZQV0P8yXJbl7fh JyjKChwAYOMIQbgstALfDbUa5ryEuR+gXIxNUbKm5MKww9ZtEIGiCWTNLbgajAaj mgescvcQ/G0LeZiHdaWlEpACdT292accJOSVwbhlphx/G9PSV1VJhd4g8h4xjdAB NaU2gB+bsyE= =t2Be -----END PGP SIGNATURE-----