| Apple today released Mac OS X 10.2.8 Update via the Software Update Control Panel, which delivers a number of security enhancements, including those for the OpenSSH and Sendmail vulnerabilities noted last week (details below). Apple also says the update "delivers enhanced functionality and improved reliability for the following applications, services and technologies: Audio, Bluetooth, Classic compatibility, Finder, Graphics, LDAP, Power Management, Safari, and FireWire and USB device compatibility.The update also provides updated security services and includes the latest Security Updates." Apple says the update works only with G3- and G4-based Macs, and does not work with Power Mac G5 computers. Windows on external displays connected to some PowerBook computers are drawn better.
The Bluetooth menu bar item works better when a Bluetooth USB adapter is disconnected and reconnected.
Addresses a situation in which an external FireWire storage device would not become available (mount) and this message would appear: "A disk attempting to mount as 'unknown' has failed. Please use Disk Utility to check the disk."
Addresses an issue in which some Bluetooth devices may not be available after the computer wakes from sleep.
Addresses an issue in which some Bluetooth keyboards may show a delayed response when you press a key after the computer wakes from sleep.
Addresses an issue in which some iBook computers could make a clicking sound when using Mac OS X 10.2.5 or 10.2.6. Reduces a potential delay when removing some devices from the Bluetooth pairing list.
Addresses a potential issue in which an audio application can unexpectedly quit when a USB- or FireWire-based audio device is disconnected.
Bluetooth preferences correctly displays the Bluetooth menu bar item's status if the item was enabled elsewhere.
Includes several enhancements for Safari.
Includes support for USB 2.0 devices, including PCI and PC cards for computers that do not include USB 2.0 hardware.
Mac OS X 10.2.8 also addresses several security issues, as noted by Apple's security team:
OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack.
To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is: OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f.
Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing.
fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code.
arplookup(): Fixes CAN-2003-0804. The arplookup() function caches ARP requests for routes on a local link. On a local subnet only, it is possible for an attacker to send a sufficient number of spoofed ARP requests which will exhaust kernel memory, leading to a denial of service.
|