While the full list is too long to give in detail, the mDNSResponder
item is too priceless not to post in full, I think:
-----
mDNSResponder
CVE-ID: CVE-2007-3744
Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: An attacker on the local network may be able to cause a denial
of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD
(Internet Gateway Device Standardized Device Control Protocol) code
used to create Port Mappings on home NAT gateways in the Mac OS X
implementation of mDNSResponder. By sending a maliciously crafted
packet, an attacker on the local network can trigger the overflow
which may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by removing UPnP IGD
support. This issue does not affect systems prior to Mac OS X v10.4.
----
Which I would read as - our UPnP IGD implementation is hopelessly
broken. It can never be fixed. We give up.
Cheers
Mark
On 7/31/07, Todd Woodward wrote:
> Apple today release a fairly hefty security update: APPLE-SA-2007-07-31 Security Update 2007-007
>
> http://docs.info.apple.com/article.html?artnum=306172
>
> The updates are for:
>
> Mac OS X v10.3.9
> Mac OS X Server v10.3.9
> Mac OS X v10.4.10
> Mac OS X Server v10.4.10
>
> Too numerous to detail, here is a shortlist of items updates:
>
> Bzip2
> CFNetwork (2)
> CoreAudio (3)
> Cscope
> Gnuzip
> iChat
> Kerberos
> mDNSResponder
> PDFKit
> PHP
> Quartz Composer
> Samba (3)
> SquirrelMail (Panther and Tiger Server Only)
> Tomcat (Panther and Tiger Server Only)
> WebCore (4)
> WebKit (2)
>
>
> Security Response Researcher
> Focus-Apple Moderator
> ________________________________________
> Todd D. Woodward
> Technical Support Engineer
> NetBackup Support
> Symantec Corporation
> www.symantec.com
> ________________________________________
> Office:541-335-7441
> ________________________________________
>
>
>
item is too priceless not to post in full, I think:
-----
mDNSResponder
CVE-ID: CVE-2007-3744
Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: An attacker on the local network may be able to cause a denial
of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD
(Internet Gateway Device Standardized Device Control Protocol) code
used to create Port Mappings on home NAT gateways in the Mac OS X
implementation of mDNSResponder. By sending a maliciously crafted
packet, an attacker on the local network can trigger the overflow
which may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by removing UPnP IGD
support. This issue does not affect systems prior to Mac OS X v10.4.
----
Which I would read as - our UPnP IGD implementation is hopelessly
broken. It can never be fixed. We give up.
Cheers
Mark
On 7/31/07, Todd Woodward wrote:
> Apple today release a fairly hefty security update: APPLE-SA-2007-07-31 Security Update 2007-007
>
> http://docs.info.apple.com/article.html?artnum=306172
>
> The updates are for:
>
> Mac OS X v10.3.9
> Mac OS X Server v10.3.9
> Mac OS X v10.4.10
> Mac OS X Server v10.4.10
>
> Too numerous to detail, here is a shortlist of items updates:
>
> Bzip2
> CFNetwork (2)
> CoreAudio (3)
> Cscope
> Gnuzip
> iChat
> Kerberos
> mDNSResponder
> PDFKit
> PHP
> Quartz Composer
> Samba (3)
> SquirrelMail (Panther and Tiger Server Only)
> Tomcat (Panther and Tiger Server Only)
> WebCore (4)
> WebKit (2)
>
>
> Security Response Researcher
> Focus-Apple Moderator
> ________________________________________
> Todd D. Woodward
> Technical Support Engineer
> NetBackup Support
> Symantec Corporation
> www.symantec.com
> ________________________________________
> Office:541-335-7441
> ________________________________________
>
>
>
[ reply ]