Apple Computer, Inc. Information for VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream

Status

Affected

Vendor Statement

The vulnerability described in this note is fixed with Security Updates 2002-08-02 and 2002-08-23.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

Security Update 2002-08-23 is now available.  This applies the fixes
already available in Security Update 2002-08-02 to the Mac OS X 10.2
(Jaguar) release.  Security Update 2002-08-02 was designed for the Mac
OS X 10.1.5 release.

It contains fixes for recent vulnerabilities in:

    OpenSSL:  Fixes security vulnerabilities CAN-2002-0656,
       CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659.  Details are
       available via:
http://www.cert.org/advisories/CA-2002-23.html

    mod_ssl:  Fixes CAN-2002-0653, an off-by-one buffer overflow in the
      mod_ssl Apache module.  Details are available via:
     
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653

    Sun RPC:  Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
decoder.
      Details are available via:

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

Affected systems:  Mac OS X client and Mac OS X Server

Note:  Mac OS X client is configured by default to have these services
turned off, and is only vulnerable if the user has enabled network
services which rely on the affected components.  It is still recommended
for Mac OS X client users to apply this security update to their system.

System requirements:  Mac OS X 10.2 (Jaguar)

Security Update 2002-08-23 may be obtained from:

   * Software Update pane in System Preferences

   * Apple's Software Downloads web site:
     
http://www.info.apple.com/kbnum/n120142

To help verify the integrity of Security Update 2002-08-23 from the
Software Downloads web site:

    The download file is titled:  SecurityUpd2002-08-23.dmg
   Its SHA-1 digest is:  fccb3adb478f90650f4484534a79a80bba5f94f3

Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPWad3SFlYNdE6F9oAQHuIQf9GdW2n/r7di2U8c4jQU+3JvRtU+HG7Lsl
jlKRVNGyaMvUAurxbYB/yHfHcYDtsj26bupzLUpLXbIt54uZxyXo6UTExzpwreaT
r+UJm7+q9kG6lcAmrcz2WNzlnD6icXKKuyf/hR8NUo3yBP7MoR6QGjvFqodvTOHR
J2YXH8AEPAmWFf511AzbG1yYvlDhocZ+/gBFTlaB3nYt11Edz2yRE4qeumQYEIyf
gLFxzp1BVFNDJck66WjPWgHqDuq9QWPBzHl1qhd09ctD84w+Hda972dqxRn08Jo7
jTGs2zmUpyPxLxCHEd5uzRNuMquIoddW2Nsg8LeJNHqRDlklVSJTUA==
=CJ2Y
-----END PGP SIGNATURE-----
_______________________________________________

---- Original Message ----
From: Product Security
Date: Fri 8/2/02 20:02
To: security-announce@lists.apple.com
Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

-----BEGIN PGP SIGNED MESSAGE-----

Security Update 2002-08-02 is now available. It contains fixes for
recent
vulnerabilities in:

OpenSSL: Fixes security vulnerabilities CAN-2002-0656,
CAN-2002-0657,
CAN-2002-0655, and CAN-2002-0659. Details are available via:
http://www.cert.org/advisories/CA-2002-23.html

mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
mod_ssl Apache module. Details are available via:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653

Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
decoder.
Details are available via:

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

Affected systems: Mac OS X client and Mac OS X Server

Note: Mac OS X client is configured by default to have these services
turned
off, and is only vulnerable if the user has enabled network services
which rely
on the affected components. It is still recommended for Mac OS X
client users
to apply this security update to their system.

System requirements: Mac OS X 10.1.5

Security Update 2002-08-02 may be obtained from:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:
http://docs.info.apple.com/article.html?artnum=120139

SSL server:
https://depot.info.apple.com/security/129403bc5e184e3b7367.html

To help verify the integrity of Security Update 2002-08-02 from the
Software Downloads web site:

The download file is titled: SecurityUpd2002-08-02.dmg
Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSNFTd2puXCtOGQ0M8c
2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chnN8s9EXiavcBG5e/ejtTo3ZHoOGP7bg
789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8c2jXySLlnqF+kzwqVnjUL7i2O97Fk5
tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTpuKYuah/w9NwzL+LsbPcfXA/H1f4ngc
vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXdZ9qaVCVRrZlsd9gSSmB2Jba4be/MRX
FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZXOXwbbRjqXHmzzgu8D/Q==
=fdGO
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-
announce
Do not post admin requests to the list. They will be ignored.

If you have feedback, comments, or additional information about this vulnerability, please send us email.