From his personal site: "Wild Egg is a new, small publisher of high quality mathematical texts. I am the director of this fledgling outfit, and hope to establish in the years to come a spare but illustrious line of mathematical texts that break out of the usual mold. The first offering will be Divine Proportions: Rational Trigonometry to Universal Geometry. hopefully due out in September 2005, and available over the internet at http://wildegg.com./"
I wish I was wrong about this but it seems apple tried to pull a fast one on this. It really would have been nice if apple released these security updates separately from the OS upgrade like they said they did. But I can not find these updates anywhere else...
There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."
For whatever reason apple felt icky about calling it an "update," so they threw in this language:
"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
APPLE-SA-2005-04-15 Mac OS X v10.3.9
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:
Kernel CVE ID: CAN-2005-0969 Impact: A kernel input validation issue can lead to a local denial of service Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.
Kernel CVE ID: CAN-2005-0970 Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
Kernel CVE ID: CAN-2005-0971 CERT: VU#212190 Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation. Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.
Kernel CVE ID: CAN-2005-0972 CERT: VU#185702 Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.
Kernel CVE ID: CAN-2005-0973 Impact: Local system users can cause a system resource starvation Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.
Kernel CVE ID: CAN-2005-0974 CERT: VU#713614 Impact: Local system users can cause a local denial of service Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.
Kernel CVE ID: CAN-2005-0975 Impact: Local system users can cause a temporary interruption of system operation Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.
Safari CVE ID: CAN-2005-0976 Impact: Remote sites could cause html and javascript to run in the local domain. Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.
Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
Hello,
Sorry to reply to my own post. I heard back from the mozilla people and the problem is that the KEY file was not updated. they are transitioning to a new release signing system. there is a bug in bugzilla for the problem: https://bugzilla.mozilla.org/show_bug.cg i?id=68079
Hello,
I downloaded the firefox dmg for en-us. the gpg signature listed in the KEY file is different than the key used to sign the file. Any mozilla developers know what is going on?
Re:Why would the government fund something...
on
Tor: A JAP Replacement
·
· Score: 2, Informative
To quote Paul Syverson from his PET talk: "The man needs your cover traffic just as much as you need the man for his cover traffic.."
I am using tor right now to read slashdot as well as IRC and GAIM. Tor is not supposed to be as low latency as your normal connection. Security is a trade off the slight degradation in latency is worth the improved anonymity...
Hah,
i thought the pen was for making those marks on your hands for getting into bars. Those things never look clear and always look like a glowing glob on your wrist. I guess you guys read too much slashdot...
How many/.ers are going to run over and start up a client in order to get 500 bucks. I realize not everyone is going to run over but it will be interesting to see if there is a spike in there productivity. I stopped doing seti@home a while ago, when the reports of small amounts of data came out. I went back to dnet, but I still did more than 85% of the people...
If i get the loot I will donate half of it to the GNU foundation...
how many times has a slashdot story linked to a pdf on a server that got./ed? How many dynamic pdfs do you see floating around. I got bad news for you, most of the web is not dynamic...
Not a great example of detective work. I saw this on the politech list and it was made to seem like they got a lot more info. This was just basic network enumeration. Any kiddie could have done this after reading the first few chapters of Hacking Exposed
Hello,
THere is a forensics mailing list on security foucus. Also check out dan farmer and weiste's coroners toolkit. Three books that I like in order are:
Hello, I think it would be very interesting to make an FOIA request for the source code to some small insignifigant government application. The source code is produced via public funds and belongs to the people just like any other government document. Anyone ever tried this?
Slashdot Mirror
Is this a common practice?
Publisher:
http://wildegg.com/about.htm
From his personal site:
"Wild Egg is a new, small publisher of high quality mathematical texts. I am the director of this fledgling outfit, and hope to establish in the years to come a spare but illustrious line of mathematical texts that break out of the usual mold. The first offering will be Divine Proportions: Rational Trigonometry to Universal Geometry. hopefully due out in September 2005, and available over the internet at http://wildegg.com./"
That is the interactive command line option. did you mean -r for restricted?
I do not understand why setuid scripts are any different than setuid binaries?
I got it from Apple's Security mailing list, it is also available on the security website. Where else?
3 01 327
http://docs.info.apple.com/article.html?artnum=
I wish I was wrong about this but it seems apple tried to pull a fast one on this. It really would have been nice if apple released these security updates separately from the OS upgrade like they said they did. But I can not find these updates anywhere else...
There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."
For whatever reason apple felt icky about calling it an "update," so they threw in this language:
"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-04-15 Mac OS X v10.3.9
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:
Kernel
CVE ID: CAN-2005-0969
Impact: A kernel input validation issue can lead to a local denial of service
Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.
Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
Kernel
CVE ID: CAN-2005-0971
CERT: VU#212190
Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.
Kernel
CVE ID: CAN-2005-0972
CERT: VU#185702
Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.
Kernel
CVE ID: CAN-2005-0973
Impact: Local system users can cause a system resource starvation
Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.
Kernel
CVE ID: CAN-2005-0974
CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.
Kernel
CVE ID: CAN-2005-0975
Impact: Local system users can cause a temporary interruption of system operation
Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.
Safari
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.
Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
Where can I find info on DoD 2250?
What is wrong with Coral? http://www.coralcdn.org/
t io ns-article106.php
Take a gander at:
http://www.tomsnetworking.com.nyud.net:8090/Sec
Hello,g i?id=68079
Sorry to reply to my own post. I heard back from the mozilla people and the problem is that the KEY file was not updated. they are transitioning to a new release signing system. there is a bug in bugzilla for the problem:
https://bugzilla.mozilla.org/show_bug.c
Hello,
I downloaded the firefox dmg for en-us. the gpg signature listed in the KEY file is different than the key used to sign the file. Any mozilla developers know what is going on?
To quote Paul Syverson from his PET talk:
"The man needs your cover traffic just as much as you need the man for his cover traffic.."
I am using tor right now to read slashdot as well as IRC and GAIM. Tor is not supposed to be as low latency as your normal connection. Security is a trade off the slight degradation in latency is worth the improved anonymity...
currently N=3 on tor...
David Reed is not one of the people I would deride with the anonymous "a technologist."
Hello, here is my reading list for the summer:
Linked: The New Science of Networks
Emergence: The Connected Lives of Ants,...
A New Kind of Science
Letters to a Young Contrarian
Flesh and Machines: How Robots Will...
Our Posthuman Future: Consequences of...
I have already read linked. i liked it alot however it gets repeative at times...
Hah,
i thought the pen was for making those marks on your hands for getting into bars. Those things never look clear and always look like a glowing glob on your wrist. I guess you guys read too much slashdot...
How many /.ers are going to run over and start up a client in order to get 500 bucks. I realize not everyone is going to run over but it will be interesting to see if there is a spike in there productivity. I stopped doing seti@home a while ago, when the reports of small amounts of data came out. I went back to dnet, but I still did more than 85% of the people...
If i get the loot I will donate half of it to the GNU foundation...
Hey,
Here are some cool gpg links:
http://biglumber.com
key Signing Mailing List
Encrypt!!!
Hello,
Anyone interested in having a key signing in syracuse, ny or close let me know...
dfcanize.org
Hello,
How can you detect transparent proxying? Or opaque proxying?
how many times has a slashdot story linked to a pdf on a server that got ./ed? How many dynamic pdfs do you see floating around. I got bad news for you, most of the web is not dynamic...
Not a great example of detective work. I saw this on the politech list and it was made to seem like they got a lot more info. This was just basic network enumeration. Any kiddie could have done this after reading the first few chapters of Hacking Exposed
do we pay tariffs in the us on recordable media?
Can someone provide a link to this?
Know Your Enemy: Revealing the Security...
Computer Forensics
Hacker's Challenge
the hackers challenge is a little weak on info sometimes. A lot of the challenges are deduced from info that they don't give you...
Hello, I think it would be very interesting to make an FOIA request for the source code to some small insignifigant government application. The source code is produced via public funds and belongs to the people just like any other government document. Anyone ever tried this?
I got started but never finished it. I found this book to be pretty helpful:
The CISSP Prep Guide: Mastering the Ten Domains of Computer Security
Good luck. From what I hear this book is also useful but somewhat over kill for the junior CISSP cert...