(Apple Issues Fix for OS X 10.2) Apple's QuickTime for Java May Let Remote Users Access the System
|
|
SecurityTracker Alert ID: 1008255
|
|
CVE Reference: CAN-2003-0871
(Links to External Site)
|
Date: Nov 20 2003
|
Impact: User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: An unspecified vulnerability was reported in Apple's QuickTime for Java. A remote user may be able to gain access to the target system.
Apple reported that an unauthorized user may be able to access the system. No details were provided.
In the original report,
Apple stated that QuickTime for Java in Mac OS X v10.3 and Mac OS X Server v10.3 were affected, but previous versions were not affected.
However, Apple has released a fix for 10.2.8 in APPLE-SA-2003-11-19.
|
Impact: A remote user may be able to gain access to the system.
|
Solution: Apple has released a fix as part of Security Update 2003-11-19 for Mac OS X 10.2.8, available at:
* Software Update pane in
System Preferences
* Apple's Software Downloads web site:
Security update 2003-11-19 for Jaguar 10.2.8
http://www.info.apple.com/kbnum/n120277
The download file is named: "SecurityUpd2003-11-19Jag.dmg"
Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b
|
Vendor URL: www.apple.com/quicktime/qtjava/ (Links to External Site)
|
Cause: Not specified
|
Underlying OS: UNIX (OS X)
|
Underlying OS Comments: 10.2
|
Reported By: Product Security <product-security@apple.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 19 Nov 2003 17:40:26 -0800
From: Product Security <product-security@apple.com>
Subject: APPLE-SA-2003-11-19 Security Update 2003-11-19
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-11-19 Security Update 2003-11-19
Security Update 2003-11-19 is now available for Mac OS X 10.2.8 and
Mac OS X 10.3.
It is Apple's policy to quickly address significant vulnerabilities in
past releases of Mac OS X wherever feasible. Security Update
2003-11-19 includes updates to several components of Mac OS X v10.2
"Jaguar" that meet this criteria.
Updates for Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8
=================================================================
gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventive measure against a possible future exploit.
groff: Fixes VU#399883 where the groff component pic contained a
format-string vulnerability.
Mail: Fixes CAN-2003-0881 the Mac OS X Mail application will no longer
fall back to plain text login when an account is configured to use MD5
Challenge Response.
OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.
Personal File Sharing: Fixes CAN-2003-0878 when Personal File Sharing
is enabled, the slpd daemon can no longer create a root-owned file in
the /tmp directory to gain elevated privileges.
QuickTime for Java: Fixes CAN-2003-0871 a potential vulnerability that
could allow unauthorized access to a system.
zlib: Addresses CAN-2003-0107. While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.
Updates for Mac OS X v10.3.1 "Panther" and Mac OS X Server v10.3.1
==================================================================
OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.
zlib: Addresses CAN-2003-0107. While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.
================================================
Security Update 2003-11-19 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
Security update 2003-11-19 for Jaguar 10.2.8
http://www.info.apple.com/kbnum/n120277
The download file is named: "SecurityUpd2003-11-19Jag.dmg"
Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b
Security Update 2003-11-19 for Panther 10.3.1
http://www.info.apple.com/kbnum/n120278
The download file is named: "SecurityUpd2003-11-19.dmg"
Its SHA-1 digest is: 0cfb4c9048859a2e8a60424400e081da5ff84b80
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP7wbJ3eI0z6bzFr0AQLqBgf/VosadrRIxai1AJe4th5MfYPOSxz5aJBM
aMcuIdXhGLK01/Zynr//DSNSwJ1gPZefMQtFrvaF5BJvUS8hmWOu9PyCZbEo8hiX
YJc14ON7/edXEA0JDB9BuB6Hbaflh+DgW2FIp8pjDScvudtFheMWFPQDMhBR3Az3
B6y6lIe9olZ+wUsML9ireLzKfhBFZGF7c/kYIoSS4X5WlmQ19F30RdBbJI/b8Sn2
nIBgBM9YtgkuMVSoqhPgBPIrQLQ0Qa8NVPY9NpBjFHnDgpUjiqCtYYL97TATOiMi
khl84JnBdIOk8j/S8z1zTSPwMG1v7LJPxdzhMRC3UhdiKOHDPTrofg==
=DdeD
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
