Mac OS X 10.2.5 Update Available

jarrettwold2002 writes "ThinkSecret mentioned that 10.2.5 would be out this month; well, it's out much sooner than the usual end of the month dates that Apple loves. It might be available via Software Update later today or tomorrow, but is available for purchase on CD via the Apple Store, right now. 'The 10.2.5 Update delivers enhanced functionality and improved reliability for the following applications, utilities, services, and technologies: Address Book, AirPort, AppleScript, Bluetooth, Classic compatibility, Disk Copy, Disk Utility, Finder, Help Viewer, iChat, Image Capture, IP Firewall, Kerberos, Mail, OpenGL, Print Center, Rendezvous, and Sherlock.'" The release notes are not yet available. Update: 04/10 23:09 GMT by P : It is now available via Software Update, too.

Re:Is this a typo?

[dankow]

Looks pretty similar...

That's because this is a combo installer, and those are all the changes since 10.2. Read the link, and you'll find out that there's a page that lists the 10.2.5 changes separately.

Security Update Components in Mac OS X 10.2.5

[Rouxfus]

This information was distributed on Apple's security-announce mailing list:

Mac OS X 10.2.5 is now available. It contains fixes for recent vulnerabilities in:

1. Apache 2.0: Fixes CAN-2003-0132, a denial of service vulnerability in Apache 2.0 versions through 2.0.44. Apache 2.0 is distributed only with Mac OS X Server, and is not enabled by default.
   
   Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege Escalation and DoS Attack. DirectoryServices is part of the Mac OS X and Mac OS X Server information services subsystem. It is launched at startup, setuid root and installed by default. It is possible for a local attacker to modify an environment variable that would allow the execution of arbitrary commands as root. Credit to Dave G. from @stake, Inc. for the discovery of this vulnerability.
   
   File Sharing/Service: Fixes CAN-2003-0198 where the contents of the write-only DropBox folder can be revealed. When enabled, Personal File Sharing on Mac OS X or Apple File Service on Mac OS X Server, a "DropBox" folder is available by default to allow people to deposit files. This update no longer allows the permissions of the "DropBox" folder to be changed by a guest.
   
   OpenSSL: Fixes CAN-2003-0131 Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding. The patch from the OpenSSL team, which addresses this vulnerability, is applied to Mac OS X and Mac OS X Server.
   
   Samba: Fixes CAN-2003-0201 which could allow an anonymous user to gain remote root access due to a buffer overflow. The built-in Windows file sharing is based on the open source technology called Samba and is off by default in Mac OS X.
   
   sendmail: Fixes CAN-2003-0161, where address parsing code in sendmail does not adequately check the length of email addresses. Only the patch from the sendmail team is applied to the currently-shipping version of sendmail in Mac OS X and Mac OS X Server.
   
   

System requirements: Mac OS X 10.2.x (Jaguar)

Mac OS X 10.2.5 may be obtained from:

1. Software Update pane in System Preferences
2. Apple's Software Downloads web site:
3. 
   Updating from Mac OS X 10.2.4:
   http://www.info.apple.com/kbnum/n120210
   The download file is titled: MacOSXUpdate10.2.5.dmg
   Its SHA-1 digest is: 1f98f9a21c3f17be823e2d63d90e534df01b3fdf
   
   Updating from Mac OS X 10.2 through 10.2.3:
   http://www.info.apple.com/kbnum/n120211
   The download file is titled: MacOSXUpdateCombo10.2.5.dmg
   Its SHA-1 digest is: a8ed6287d5bd0bdf67a2c0fd97b3af810f178d21
   
   

Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/security_upd ates.html

This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/security_pgp .html