Security Update released

Apple has released Security Update 2003-12-19, which it says delivers a number of security enhancements, including several updated components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. The update was via a download at the Apple Store). Both are available via the Mac OS X Software Update.

• AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.




• cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in
  the filesystem utility cd9660.util.
  Credit to KF of Secure Network Operations for reporting this issue.


• 
  
  Directory Services: Fixes CAN-2003-1009. The default settings are
  changed to prevent an inadvertent connection in the event of a
  malicious DHCP server on the computer's local subnet. Further
  information is provided in Apple's Knowledge Base article:
  
  Credit to William A. Carrel for reporting this issue.


• 
  
  fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that
  improve its stability when receiving malformed messages.


• 
  
  fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to
  prevent a local privilege escalation vulnerability. This tool is
  used to collect system performance information and requires admin
  privileges to run.
  Credit to Dave G. of @stake for reporting this issue.


• 
  
  rsync: Fixes CAN-2003-0962 by improving the security of the rsync
  server.


• 
  
  System initialization: Fixes CAN-2003-1011. The system initialization
  process has been improved to restrict root access on a system that
  uses a USB keyboard.

Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

• CAN-2003-1005: ASN.1 Decoding for PKI
  
• CAN-2003-1008: Screen Saver text clippings
  

by MacNN Staff