magmatic.com - Squawk Box - APPLE-SA-2009-11-09-1 Security Update 2009-006 / Mac OS X v10.6.2

MAAS History

APPLE-SA-2009-11-09-1 Security Update 2009-006 / Mac OS X v10.6.2

Monday, November 9, 2009 at 10:56PM

Apple has release a security update which addresses a large set of CVE-ID's including the AFP memory corruption, adaptive firewall dictionary attack, apache updates, Apple Type Services, Certificate Assistant, CoreGraphics, CoreMedia, directory service, cups, disk image, dovecot, fetchmail, event monitor, file, ftp server, ImageIO, Help Viewer, IOKit, UCCompareTextDefault, IPSec, Kernel, Launch Services, libXML, libSecurity, Openldap, OpenSSH, PHP, QuickDraw Manager, QuickLook, QuickTime, FreeRADIUS, Login Services (Guest Account Issues) Screen Sharing, SVN and Spotlight. It is recommended that this update be applied via software update.

The server complete update package is approximately 524 megabytes.

Update on Tuesday, November 10, 2009 at 08:42AM by

drStrangeP0rk

Some of the major issues fixed include the following:

Adaptive Firewall-A brute force or dictionary attack may not be detected properly by the adaptive firewall. The firewall will not detect invalid SSH user name login attempts. The temporary rule generation and detection of these events are improved.

Apache-Various apache CVE-ID are addressed including an update to version 2.2.13, TRACE HTTP is disabled by default and Apache Portable Runtime is updated to 1.3.8. You can visit http://apache.org/ for more information.

Certificate Assistant-SSL certificates handling is improved to address NUL characters in the Common Name Field. In addition libsecurity now has MD2 hash disabled for X.509 certificate unless it is trusted root. Administrators should recreate any of these certificates with SHA1.

OpenSSH-Updated to 5.2p1 http://www.openssh.org/txt/release-5.2

OpenLDAP-An attacker could conduct a man-in-the-middle attack even if SSL is used. This is conjunction with the handling of Common Name Field improves the handling of SSL certificates. Several OpenLDAP patches are applied to prevent DOS and malicious code execution. Visit http://www.openldap.org/ for more information.

IPSec-Several vulnerabilities in the racoon daemon (which handles the encryption key) are mitigated by applying IPSec-Tools patches. https://trac.ipsec-tools.net/ is worth a look, make sure you understand IPSec since misconfiguration is far more dangerous then not using it.

Subversion-Various heap buffers are addressed by updating the SVN system to 1.6.5.

drStrangeP0rk |

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Source: http://apr.apache.org/
Source: http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

magmatic.com by magmatic consulting is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at http://magmatic.com.
Permissions beyond the scope of this license may be available at http://magmatic.com.