----------------------------------------------------------------------


  Secunia CSI
+ Microsoft SCCM
-----------------------
= Extensive Patch Management

http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/


----------------------------------------------------------------------

TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA39158

VERIFY ADVISORY:
http://secunia.com/advisories/39158/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) A boundary error in AppKit within the feature used by Cocoa
applications to spell check documents can be exploited to cause a
buffer overflow.

Successful exploitation may allow execution of arbitrary code.

2) A timing error in the Application Firewall may result in certain
rules becoming inactive after restart.

3) An access control error in AFP Server may allow mounting of AFP
shares as a guest even though guest access is disabled.

4) An error exists in the path validation for shares in AFP Server
and can be exploited via directory traversal attacks to read or write
files accessible by the "nobody" user.

5) An error in Apache can be exploited to bypass certain security
restrictions.

For more information:
SA36675

6) A configuration error in ClamAV introduced by a previous Security
Update may prevent freshclam from running, causing virus definitions
to not receive updates.

7) Two boundary errors in CoreAudio when handling QDM2 and QDMC
encoded audio content can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

8) An error in CoreMedia when playing H.263 encoded movie files can
be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

9) Missing checks in CoreTypes for ".ibplugin" and ".url" content
types may result in users not being warned before opening potentially
unsafe content via e.g. Safari.

Successful exploitation may allow execution of arbitrary code.

10) An error in the "lppasswd" CUPS utility can be exploited to gain
escalated privileges.

For more information:
SA38789

11) An error exists in curl when processing X.509 certificate fields
and can be exploited to conduct spoofing attacks.

For more information:
SA36238

12) A security issue in curl when handling the HTTP "Location" header
can potentially be exploited to execute arbitrary commands.

For more information:
SA34138

13) A boundary error in Cyrus IMAP when handling Sieve scripts can
potentially be exploited to execute arbitrary code.

For more information:
SA36629

14) A boundary error in the authentication module of Cyrus SASL can
potentially be exploited to execute arbitrary code.

For more information:
SA35094

15) A security issue in DesktopServices when performing an
authenticated copy in the Finder may result in items copied to be
assigned an unexpected file owner.

16) A security issue in DesktopServices may result in files being
saved to a malicious share if a user has been tricked into mounting
it via an URL scheme and then e.g. saves a file using the default
save panel in any application, uses "Go to folder", or drags a folder
to the save panel.

17) An error in the Disk Images component when handling bzip2
compressed disk images can be exploited to corrupt memory when a
specially crafted disk image is mounted.

Successful exploitation may allow execution of arbitrary code.

18) A design error in the Disk Images component when handling
Internet enabled disk images containing a package file type causes it
to be opened instead of displayed in the Finder.

Successful exploitation may allow execution of arbitrary code.

19) A security issue when handling record names in Directory Services
can be exploited to gain escalated privileges.

20) An access control error in Dovecot when Kerberos authentication
is enabled allows users to send and receive mails even if the user is
not permitted to do so in the service access control list (SACL).

21) A security issue in Event Monitor when handling resolved DNS
names of remote ssh clients can be exploited to add arbitrary hosts
to the firewall blacklist.

22) An error in the default configuration of FreeRADIUS allows using
EAP-TLS with an arbitrary valid certificate to authenticate.

23) An input validation error in FTP Server can be exploited by
malicious users to retrieve files outside the FTP root directory via
directory traversal attacks.

24) An error in iChat Server within jabberd's handling of SASL
negotiation can be exploited to cause a DoS (Denial of Service).

For more information:
SA19281

25) A design error in iChat Server within the support for
configurable group chat logging causes only certain message types to
be logged.

26) Unspecified boundary errors and a use-after-free error in iChat
Server can be exploited to corrupt memory or cause stack-based buffer
overflows.

Successful exploitation may allow execution of arbitrary code.

27)  An error in ImageIO when parsing JP2 images can be exploited to
cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

28) Multiple vulnerabilities in ImageIO when handling BMP and TIFF
images can be exploited to disclose certain data from the browser's
memory or cause memory corruption.

For more information see vulnerability #2, #3, #4:
SA38932

29) Two errors in Image RAW when handling NEF and PEF images can be
exploited to cause buffer overflows.

Successful exploitation may allow execution of arbitrary code.

30) An error in Libsystem when converting data between binary
floating point and text can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

31) An error in Mail causes user-defined rules associated with a
deleted mail account to remain in effect.

32) A logic error in Mail when handling encryption certificates where
multiple certificates exist in the keychain for a recipient may result
in use of a weaker encryption key for outgoing mail.

33) Various vulnerabilities in Mailman can be exploited to conduct
script insertion attacks.

For more information:
SA28794

34) Various vulnerabilities exist in the bundled version of MySQL.

For more information:
SA30134
SA32072
SA35767
SA37372

35) An error exists in OS Services as SFLServer runs as group "wheel"
and accesses files in users' home directories.

Successful exploitation may allow a malicious, local users to gain
escalated privileges.

36) An error in Password Server when handling replication may result
in passwords not being replicated, allowing log-in with outdated
passwords.

37) Various race condition errors exist in the bundled version of
perl.

For more information:
SA13643
SA14531

38) Various vulnerabilities exist in the bundled versions of PHP.

For more information:
SA37412
SA37821

39) An error in Podcast Producer results in access restrictions being
removed when overwriting a Podcast Composer workflow.

40) A security issue exists in Preferences when handling logins of
network accounts at the Login Window which can be exploit to bypass
login restrictions.

Successful exploitation requires network accounts to be identified by
group membership only.

41) An error in PS Normalizer when parsing PostScript files can be
exploited to cause a stack-based buffer overflow.

42) Multiple vulnerabilities in QuickTime when handling H.261, H.263,
H.264, RLE, M-JPEG, Sorenson, FlashPix, FLC, and MPEG encoded movie
files can be exploited to corrupt memory or cause heap-based buffer
overflows.

Successful exploitation may allow execution of arbitrary code.

43) Various vulnerabilities exist in the bundled version of Ruby.

For more information:
SA35399
SA35702
SA36600
SA37446

44) A design error in Server Admin can be exploited to anonymously
extract information from Open Directory even if the "Require
authenticated binding between directory and clients" option is
enabled.

45) An error in Server Admin allows former members of the "admin"
group to connect to the server using screen sharing.

46) An error in SMB can be exploited to cause a DoS (Denial of
Service).

For more information see vulnerability #2:
SA36893

47) Multiple vulnerabilities exist in the bundled version of Tomcat.

For more information:
SA35326
SA38346

48) An uninitialised pointer error exists in unzip when extracting
zip files.

For more information:
SA29415

49) Various vulnerabilities exist in the bundled version of vim.

For more information:
SA30731
SA31592

50) An error in Wiki Server can be exploited to gain knowledge of
sensitive information by uploading active content (e.g. Java
applets).

51) An error in Wiki Server can be exploited to bypass weblog
creation restrictions as the weblog SACL is not consulted during the
creation of a user's weblog.

52) Vulnerabilities exist in the bundled versions of libpng and xterm
in X11.

For more information:
SA35346
SA8146

53) A design error in xar when validating package signatures may
result in manipulated packages appearing as validly signed.

SOLUTION:
Apply Security Update 2010-002 or update to version 10.6.3.

Mac OS X Server v10.6.3 Update (Combo):
http://support.apple.com/kb/DL1019

Mac OS X Server v10.6.3 Update:
http://support.apple.com/kb/DL1020

Mac OS X v10.6.3 Update (Combo):
http://support.apple.com/kb/DL1017

Mac OS X v10.6.3 Update:
http://support.apple.com/kb/DL1018

Security Update 2010-002 (Leopard-Client):
http://support.apple.com/kb/DL1021

Security Update 2010-002 (Leopard-Server):
http://support.apple.com/kb/DL1022

PROVIDED AND/OR DISCOVERED BY:
1,3,17,19,21,23,25,26,29,41,45,53) Reported by the vendor.

The vendor credits:
2) Michael Kisor of OrganicOrb.com
4) Patrik Karlsson of cqure.net
6) Bayard Bell, Wil Shipley of Delicious Monster, and David Ferrero
of Zion Software, LLC
7) anonymous researcher working with the TippingPoint Zero Day
Initiative
8) Damian Put working with the TippingPoint Zero Day Initiative
9) Clint Ruoho of Laconic Security
10) Ronald Volgers
12) Daniel Stenberg of Haxx AB
15) Gerrit DeWitt of Auburn University (Auburn, AL)
16) Sidney San Martin working with DeepTech, Inc.
18) Brian Mastenbrook working with the TippingPoint Zero Day
Initiative
22) Chris Linstruth of Qnet
27) Chris Ries of Carnegie Mellon University Computing Service and
85319bb6e6ab398b334509c50afce5259d42756e working with the
TippingPoint Zero Day Initiative
28) Matthew 'j00ru' Jurczyk of Hispasec and Gus Mueller of Flying
Meat
29) Chris Ries of Carnegie Mellon University Computing Services
30) Maksymilian Arciemowicz of SecurityReason.com
32) Paul Suh of ps Enable, Inc.
35) Kevin Finisterre of DigitalMunition
36) Jack Johnson of Anchorage School District
40) Christopher D. Grieb of University of Michigan MSIS
42) anonymous researcher, Moritz Jodeit of n.runs AG, and Damian Put
working with the TippingPoint Zero Day Initiative, Nicolas Joly of
Vupen, and Will Dormann of the CERT/CC.
44) Scott Gruby of Gruby Solutions and Mathias Haack of GRAVIS
Computervertriebsgesellschaft mbH

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4077

OTHER REFERENCES:
SA13643:
http://secunia.com/advisories/13643/

SA14531:
http://secunia.com/advisories/14531/

SA19281:
http://secunia.com/advisories/19281/

SA28794:
http://secunia.com/advisories/28794/

SA29415:
http://secunia.com/advisories/29415/

SA30134:
http://secunia.com/advisories/30134/

SA30731:
http://secunia.com/advisories/30731/

SA31592:
http://secunia.com/advisories/31592/

SA32072:
http://secunia.com/advisories/32072/

SA34138:
http://secunia.com/advisories/34138/

SA35094:
http://secunia.com/advisories/35094/

SA35326:
http://secunia.com/advisories/35326/

SA35346:
http://secunia.com/advisories/35346/

SA35399:
http://secunia.com/advisories/35399/

SA35702:
http://secunia.com/advisories/35702/

SA35767:
http://secunia.com/advisories/35767/

SA36238:
http://secunia.com/advisories/36238/

SA36600:
http://secunia.com/advisories/36600/

SA36629:
http://secunia.com/advisories/36629/

SA36675:
http://secunia.com/advisories/36675/

SA36893:
http://secunia.com/advisories/36893/

SA37372:
http://secunia.com/advisories/37372/

SA37412:
http://secunia.com/advisories/37412/

SA37446:
http://secunia.com/advisories/37446/

SA37821:
http://secunia.com/advisories/37821/

SA8146:
http://secunia.com/advisories/8146/

SA38346:
http://secunia.com/advisories/38346/

SA38789:
http://secunia.com/advisories/38789/

SA38932:
http://secunia.com/advisories/38932/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------