Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases Mac OS X 10.3.9 Update

Posted by pudge on from the last-call dept.

OmniVector writes "Right after the Mac OS X 10.4 Tiger announcement just a few days ago, Apple has released an update to version 10.3.9 for Mac OS X and Mac OS X Server (both available via Software Update). The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week.

8 of 149 comments (clear)

  1. Undocumented bug fix by objekt · · Score: 4, Informative

    Now my Mac doesn't lock up when I choose the "Restart..."/"Shut Down..." and then sleep the screen during the optional 2-minute wait period.

    --
    -- Boycott Shell
  2. Safari 1.3 by OmniVector · · Score: 4, Informative

    wow i'm a dumbass, and completely left out something really important! Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders. Also, one of my Safari plugins caused safari to crash on launch. (AcidSearch it appears).

    lastly, folks, beware of the warning on apple's front page with this update if you're running mac os x server! You must have an administrator account password that does not contain spaces or Option-keyed characters to install this update.

    --
    - tristan
    1. Re:Safari 1.3 by Matthias+Wiesmann · · Score: 5, Informative

      Information about the changes in Safari 1.3 can be found on on David Hyatt's blog.

  3. Mainly bugfixes? You should do PR for microsoft:) by dfelznic · · Score: 4, Informative

    There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."

    For whatever reason apple felt icky about calling it an "update," so they threw in this language:

    "Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    APPLE-SA-2005-04-15 Mac OS X v10.3.9

    Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:

    Kernel
    CVE ID: CAN-2005-0969
    Impact: A kernel input validation issue can lead to a local denial of service
    Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.

    Kernel
    CVE ID: CAN-2005-0970
    Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.

    Kernel
    CVE ID: CAN-2005-0971
    CERT: VU#212190
    Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
    Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.

    Kernel
    CVE ID: CAN-2005-0972
    CERT: VU#185702
    Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
    Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.

    Kernel
    CVE ID: CAN-2005-0973
    Impact: Local system users can cause a system resource starvation
    Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.

    Kernel
    CVE ID: CAN-2005-0974
    CERT: VU#713614
    Impact: Local system users can cause a local denial of service
    Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.

    Kernel
    CVE ID: CAN-2005-0975
    Impact: Local system users can cause a temporary interruption of system operation
    Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.

    Safari
    CVE ID: CAN-2005-0976
    Impact: Remote sites could cause html and javascript to run in the local domain.
    Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.

    Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.

    Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:

    --
    Douglas Calvert
  4. Re:OT: Trackpad in Firefox by steeviant · · Score: 5, Informative

    It's actually an issue with firefox interpreting inadvertent horizontal scrolling (easy to do with iscroll2 or the new [USB] trackpads) as back/forward requests. Here's how to fix this intentionally broken behaviour...

    From macosxhints.com:
    In Firefox, type about:config into the address bar and hit return. This gives you a list of all possible configuration options. The ones we want are those that start with mousewheel.horizscroll.withnokey. Make the following changes by double-clicking the appropriate option in the list:

    * mousewheel.horizscroll.withnokey.action => 0
    * mousewheel.horizscroll.withnokey.sysnumlines => true

  5. Re:Trackpad by poopdeville · · Score: 4, Informative

    Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.

    That's because Software Update downloaded a fresh copy of Safari for you. Your "personal" bookmarks are stored in your ~/Library/ directory somewhere, whereas the stock ones are in the application bundle.

    --
    After all, I am strangely colored.
  6. Re:Java broken now? by rworne · · Score: 4, Informative

    It's fixed.

    Downloaded Security Update 2005-002 from Apple
    Apply update
    Reboot
    Verify Java works: "java -version" in Terminal.app
    Apply 10.3.9 Combo Updater
    Reboot
    Verify Java works: "java -version" in Terminal.app

    All I know is that it works again for me.

    --
    I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
  7. Re:Apple removes basic UNIX features from 10.3.9 by pete_yandell · · Score: 4, Informative

    Apple haven't disabled SUID binaries, just SUID scripts. SUID scripts are fundamentally insecure (do a google on "setuid script" for some references) and are already disabled in every other major unix distribution.