hä das ging aber schnell

Bei mir läd das ewig...

APPLE-SA-2009-08-05-1 Security Update 2009-003 / Mac OS X v10.5.8

Security Update 2009-003 / Mac OS X v10.5.8 is now available and
addresses the following:

bzip2
CVE-ID: CVE-2008-1372
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: Decompressing maliciously crafted data may lead to an
unexpected application termination
Description: An out-of-bounds memory access exists in bzip2. Opening
a maliciously crafted compressed file may lead to an unexpected
application termination. This update addresses the issue by updating
bzip2 to version 1.0.5. Further information is available via the
bzip2 web site at http://bzip.org/

CFNetwork
CVE-ID: CVE-2009-1723
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: A maliciously crafted website may control the displayed
website URL in a certificate warning
Description: When Safari reaches a website via a 302 redirection and
a certificate warning is displayed, the warning will contain the
original website URL instead of the current website URL. This may
allow a maliciously crafted website that is reached via an open
redirector on a user-trusted website to control the displayed website
URL in a certificate warning. This issue was addressed by returning
the correct URL in the underlying CFNetwork layer. This issue does
not affect systems prior to Mac OS X v10.5. Credit to Kevin Day of
Your.Org, and Jason Mueller of Indiana University for reporting this
issue.

ColorSync
CVE-ID: CVE-2009-1726
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: A heap buffer overflow exists in the handling of images
with an embedded ColorSync profile. Opening a maliciously crafted
image with an embedded ColorSync profile may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of ColorSync
profiles. Credit to Chris Evans of the Google Security Team for
reporting this issue.

CoreTypes
CVE-ID: CVE-2009-1727
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Users are not warned before opening certain potentially
unsafe content types
Description: This update extends the system's list of content types
that will be flagged as potentially unsafe under certain
circumstances, such as when they are downloaded from a web page.
While these content types are not automatically launched, if manually
opened they could lead to the execution of a malicious JavaScript
payload. This update improves the system's ability to notify users
before handling content types used by Safari. Credit to Brian
Mastenbrook, and Clint Ruoho of Laconic Security for reporting this
issue.

Dock
CVE-ID: CVE-2009-0151
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: A person with physical access to a locked system may use
four-finger Multi-Touch gestures
Description: The screen saver does not block four-finger Multi-Touch
gestures, which may allow a person with physical access to a locked
system to manage applications or use Expose. This update addresses
the issue by properly blocking Multi-Touch gestures when the screen
saver is running. This issue only affects systems with a Multi-Touch
trackpad.

Image RAW
CVE-ID: CVE-2009-1728
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Viewing a maliciously crafted Canon RAW image may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of Canon
RAW images. Viewing a maliciously crafted Canon RAW image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking. For
Mac OS X v10.4 systems, this issue is already addressed with Digital
Camera RAW Compatibility Update 2.6. Credit to Chris Ries of Carnegie
Mellon University Computing Services for reporting this issue.

ImageIO
CVE-ID: CVE-2009-1722
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: Viewing a maliciously crafted OpenEXR image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in ImageIO's handling of
OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue by updating OpenEXR to version 1.6.1.
Credit to Lurene Grenier of Sourcefire VRT, and Chris Ries of
Carnegie Mellon University Computing Services for reporting this
issue.

ImageIO
CVE-ID: CVE-2009-1721
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: Viewing a maliciously crafted OpenEXR image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in
ImageIO's handling of OpenEXR images. Viewing a maliciously crafted
OpenEXR image may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
proper memory initialization and additional validation of OpenEXR
images. Credit: Apple.

ImageIO
CVE-ID: CVE-2009-1720
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: Viewing a maliciously crafted OpenEXR image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple integer overflows exist in ImageIO's handling
of OpenEXR images. Viewing a maliciously crafted OpenEXR image may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issues through improved bounds
checking. Credit: Apple.

ImageIO
CVE-ID: CVE-2009-2188
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in ImageIO's handling of EXIF
metadata. Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. This
issue does not affect systems prior to Mac OS X v10.5.

ImageIO
CVE-ID: CVE-2009-0040
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling
of PNG images. Processing a maliciously crafted PNG image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PNG images. Credit to Tavis Ormandy of the Google Security Team
for reporting this issue.

Kernel
CVE-ID: CVE-2009-1235
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: A local user may obtain system privileges
Description: An implementation issue exists in the kernel's handling
of fcntl system calls. A local user may overwrite kernel memory and
execute arbitrary code with system privileges. This update addresses
the issue through improved handling of fcntl system calls. Credit to
Razvan Musaloiu-E. of Johns Hopkins University, HiNRG for reporting
this issue.

launchd
CVE-ID: CVE-2009-2190
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Opening many connections to an inetd-based launchd service
may lead to a denial of service
Description: Opening many connections to an inetd-based launchd
service may cause launchd to stop servicing incoming connections to
that service until the next system restart. This update addresses the
issue through improved error handling.

Login Window
CVE-ID: CVE-2009-2191
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7
Impact: A format string issue in Login Window may lead to an
unexpected application termination or arbitrary code execution
Description: A format string issue in Login Window's handling of
application names may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved handling of application names. Credit to Alfredo Pesoli of
0xcafebabe.it for reporting this issue.

MobileMe
CVE-ID: CVE-2009-2192
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Signing out of MobileMe does not remove all credentials
Description: A logic issue exists in the MobileMe preference pane.
Signing out of the preference pane does not delete all credentials. A
person with access to the local user account may continue to access
any other system associated with the MobileMe account which had
previously been signed in for that local account. This update
addresses the issue by deleting all the credentials on sign out.

Networking
CVE-ID: CVE-2009-2193
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Receiving a maliciously crafted AppleTalk response packet
may lead to arbitrary code execution with system privileges or an
unexpected system shutdown
Description: A buffer overflow exists in the kernel's handling of
AppleTalk response packets. Receiving a maliciously crafted AppleTalk
response packet may lead to arbitrary code execution with system
privileges or an unexpected system shutdown. This update addresses
the issue through improved validation of AppleTalk response packets.
Credit to Ilja van Sprundel from IOActive for reporting this issue.

Networking
CVE-ID: CVE-2009-2194
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: A local user may cause an unexpected system shutdown
Description: A synchronization issue exists in the handling of file
descriptor sharing over local sockets. By sending messages containing
file descriptors to a socket with no receiver, a local user may cause
an unexpected system shutdown. This update addresses the issue
through improved handling of file descriptor sharing. Credit to
Bennet Yee of Google Inc. for reporting this issue.

XQuery
CVE-ID: CVE-2008-0674
Available for: Mac OS X v10.5 through v10.5.7,
Mac OS X Server v10.5 through v10.5.7
Impact: Processing maliciously crafted XML content may lead to
arbitrary code execution
Description: A buffer overflow exists in the handling of character
classes in regular expressions in the Perl Compatible Regular
Expressions (PCRE) library used by XQuery. This may allow a remote
attacker to execute arbitrary code via a regular expression
containing a character class with a large number of characters with
Unicode code points greater than 255. This update addresses the issue
by updating PCRE to version 7.6.

WAAS
An einem Mittwoch Abend
Naja aber wenns das letzte Leopard Update sein soll dann genies ichs noch mal ausführlich
Hoffe auch das das Bluetooth Problem mit der Anbindung der Blue Mighty Mouse und Blue Tastatur gefixxt ist.

...und das Combo-Update

Angesichts der Tatsache, daß es schon wieder Flash-Updates gibt, die sicherheitsrelevant sind, diese aber nicht in SU 2009-003/10.5.8 enthalten sind - kommt zumindest das nächste SU für Leopard bestimmt...

Und ein hoppelnder Mauszeiger... (der erst mit 10.5.7 kam)

das ist ja ziemlich überraschend,muss ich noch downloaden.

Hoffe auf eine Numbers aktualisierung, damit alle CPU Kerne verwendet werden und der RAM bedarf sinkt ..... Gestern bei Gravis gewesen und da konnte eine meiner Dateien auf einem MacPro nicht geöffnet werden, da 3GB zu wenig waren/ sind ....

Naja wat solls ...

MfG
T.J.

Die ersten 60 MB des Delta-Updates kamen ganz fix an, die restlichen 105 lahmen aber ein bisschen... Und das genau gleich auf zwei verschiedenen Rechnern auf zwei verschiedenen Internet-Anschlüssen (via ARD)...

Hannes Gnad: Was haben Falsh updates mit Mac OS X zu tun? Adobe hat doch einen eigenen Updater....

Da Apple das FlashPlugin mitliefert sind sie auch für dessen Aktualisierung zuständig, was Dich aber nicht dran hindert es vorher selbst schon zu tun!

OS X.5.7 hier - Update mit 165 MB lädt in durchaus akzeptabler Geschwindigkeit.. Will noch gut 5 min brauchen (50 MB sind schon da)
Mal sehn, was es bringt...

Nun ja alles Updates die ich eigentlich nicht brauche...

Warte mit zig anderen seit sage und schreibe fast 2 Jahre auf ein Firmware Update (seit Leo raus kam) für das Superdrive. Aber das ist ein anderes Thema

[ironie]wird hier auch die SMS-Sicherheits-Lücke meines Macs.... äh... xD[/ironie]

super - ich lade's gleich auch mal

ppc hat schon mal 2 mal gestartet und es liess sich einloggen, von daher keine beschwerden, bis jetzt.

@MacSebi: Apple liefert den Flash-Player serienmäßig mit, bei 10.4 die 9'er, bei 10.5 die 10'er Serie. Daher *muß* Apple die per SU/10.5.x Update aktuell nachliefern, wenn es davon *sicherheitsrelevante* Updates gibt. Apple hat das in das auch getan, zuletzt im Rahmen von SU 2009-002/10.5.7, siehe:

support.apple.com/kb/HT3549?viewlocale=de_DE

"Flash Player Plug-In..."

Wenn Adobe also vorlegt, muß Apple bald nachziehen.

Am Rande: Den Adobe Updater hat man nur, wenn man händisch einen Reader oder eine CS installiert - und der Updater holt die normalerweise die Flash Plugins *auch nicht* mit. Da hilft tatsächlich nur manueller Download samt Installation, wenn man nicht auf Apple warten möchte...

@dapo: Sicherheitsrelevante Updates brauchen alle und immer. Die Mac-Welt ist bisher nur in der glücklichen Lage, nicht unter Trommelfeuer zu stehen wie die Windows-Welt. Würden die bösen Buben mal auf die Macs zielen, so richtig, würde bald das große Wehklagen ausbrechen.

(Randnotiz: Sicherheitsexperten kritisieren zuletzt auch regelmäßig Apple direkt, es sich selbst noch zu bequem zu machen, was insbesondere die Reaktionszeiten auf Lücken angeht, siehe z.B. das Java-Updates-Thema.)

So und wie bringe ich nun mein OS X auf 10.5.8 und behalte meinen schönen Safari 3?

@Maniacintosh: Wo ist das Problem? Safari 4 ist schneller, sicherer, kann mehr...

Maniactosh

Versteh ich auch nicht ganz, zumal Safari 4 zu eineigen Seiten kompatibler ist als S3 z.b. ebay. Hatte da mit dem 3er immer Probleme. Von der Geschwindigkeit ist Safari 4 zudem nochmals deutlich besser.

Heute ist Mittwoch. Das muss ein Fake sein.

stimmt, völlig unerwartet und es gibt keine probleme…

endlich ein blaues iDisk Logo

hat den Safari den Blauen Ladebalken zurückbekommen?Das ist ein grund beim 3er zu bleiben.

Also ich nutze noch OS X Tiger wegen dem blauen Apfel oben in der Menüleiste!

Danke Steve : Löpt auch auf meinem OSX86 prima - ohne jedes gefrickel.

Testserver (mit AFP, DHCP, DNS, Druck, Firewall, FTP, iCal,iChat, Mail, MySQL, NAT, NetBoot, NFS, Open Directory, Podcast-Produzent, QT Streaming, Radius, SMB, VPN, Web, WebObjects und Xgrid) und ein Client auf 10.5.8 gebracht. Beides lief bei der Installation soweit ohne Probleme durch.

Eine kurze Kontrolle der wichtigsten Services und Funktionen zeigte soweit kein erkennbares Problem.

Cheers, Uhu

@Ronny&fatdancer: Ihr macht Witze, oder?

10.5.8 ich bin dabei