Slashdot Mirror

← Back to Stories (view on slashdot.org)

... And the Hits Just Keep On Coming

Posted by pudge on from the mo-updates-mo-updates-mo-updates dept.

Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)

6 of 72 comments (clear)

  1. Security Update not just for 10.3 by TheRedHorse · · Score: 5, Informative

    I'm running 10.2.8 and still got the security update via Software Update.

  2. 10.2.8 by Johnny+Mnemonic · · Score: 5, Informative


    The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.

    The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.

    Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?

    --

    --
    $tar -xvf .sig.tar
  3. The TechNote... by Anonymous Coward · · Score: 5, Informative

    AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

    cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

    Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.

    fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.

    fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

    rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.

    System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.

    Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

    CAN-2003-1005: ASN.1 Decoding for PKI
    CAN-2003-1008: Screen Saver text clippings

  4. Re:10.2.8 kernel panic? by awfwal · · Score: 5, Informative

    I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.

  5. Re:Snagged this last night by tgibbs · · Score: 5, Insightful

    Also nice to see all the other Security fixes happening. gg Apple!

    Also nice to see Apple giving public credit to the people who reported these security holes.

  6. The IE hole by goombah99 · · Score: 5, Informative

    This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URL
    https://www.earthlink.net%01@211.154.171.106/li_pi n/verification/step1_e.htm
    (mind the break inserted by the lameness filter!)
    I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues

    --
    Some drink at the fountain of knowledge. Others just gargle.