|
|
苹果总是喜欢一次性发布大量补丁,例如上次是25个,本次是17个.当地时间5月24日,苹果发布了17个安全报告,其中包含一个严重漏洞,发生在Mac OS X v10.4.9 与 Mac OS X Server v10.4.9的 CoreGraphics 组件中,它可以引发系统或应用程序直接关闭,不过该问题却不影响Mac OS X v10.4之前的系统.所有的更新都可以在苹果的下载中心下载到,以下是苹果本次的漏洞列表.
Alias Manager
Affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9.
Impact: Users may be misled into opening a substituted file.
Due to implementation issues, Alias Manager under certain circumstances won't show identically named files contained in identically named mounted disk images. By enticing a user to mount two identically named disk images, an attacker could mislead the user into opening a malicious program, according to Apple.
BIND
There are four vulnerabilities in BIND in Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9. The worst can lead to a remote DoS (denial of service).
crontabs
The daily/tmp cleanup script may lead to a DoS in Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9.
When the daily cleanup script is executed, Filesystems mounted in the /tmp directory may be deleted, which may lead to a DoS.
fetchmail
Users can be tricked into disclosing their passwords because of a cryptographic weakness in Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9.
iChat
An attacker on a local network can cause a DoS or execute arbitrary code due to a buffer overflow vulnerability in the UPnP IGD (Internet Gateway Device) Standardized Device Control Protocol code used to create Port Mappings on home NAT gateways in iChat. The exploit works by sending a maliciously crafted packet that triggers the overflow. This bug affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9.
mDNSResponder
An attacker on a local network can cause DoS or execute arbitrary code due to a buffer overflow vulnerability in the UPnP IGD Standardized Device Control Protocol code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow. The patch is for Mac OS X v10.4.9 and Mac OS X Server v10.4.9; versions prior to Mac OS X v10.4 aren't affected.
PPP
This vulnerability, which allows local users to obtain system privileges, is found in the PPP daemon when loading plug-ins via the command line. This one affects Mac OS X v10.4.9 and Mac OS X Server v10.4.9 but no systems prior to Mac OS X v10.4.
Ruby
The Ruby CGI library has a DoS vulnerability in its CGI library. An attacker can trigger a situation that could lead to a DoS by sending maliciously crafted HTTP requests to a Web application using cgi.rb. The patch is for Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9.
Screen
GNU Screen has multiple DoS vulnerabilities in its screen command tool. This affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9. GNU has more information on its site.
texinfo
A file-handling issue in texinfo may allow arbitrary files to be overwritten. The vulnerability may allow a local user to create or overwrite files with the privileges of a user running texinfo. This affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9.
VPN
The vpnd command has a format string vulnerability. Local users can trigger it with maliciously crafted arguments, which can lead to system takeover. This affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9. |
|
发表于 2007-5-26 08:46:50
发表于 2007-5-26 10:02:18
