ID: 3520
Date: 14/12/2007
Title: 3520 - APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4
Platform level affected:Net Application - Enterprise
Hardware components affected:Apple MAC
Specific operating systems components affected: Apple Mac OS
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:Java
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://www.apple.com/support/downloads/
Abstract: Java Release 6 for Mac OS X 10.4 is now available and addresses a number of issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4
Java Release 6 for Mac OS X 10.4 is now available and addresses the following issues:
Java
CVE-ID: CVE-2007-5862
Available for: Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10, Mac OS X Server v10.4.11
Impact: A malicious webpage can remove or insert keychain items
Description: An access check may be bypassed for Keychain updates. A specially crafted Java applet may be able to add or remove items from a user's Keychain, without prompting the user. This update addresses the issue through an improved access check. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Bruno Harbulot of the University of Manchester for reporting this issue.
Java
CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-3004, CVE-2007-3005, CVE-2007-3504, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381,
CVE-2007-5232
Available for: Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities exist in Java 1.4
Description: Multiple vulnerabilities exist in Java 1.4, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating Java 1.4 to version 1.4.2_16. These issues are already addressed in systems running Mac OS X v10.5 and later.
Java
CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005, CVE-2007-3503, CVE-2007-3504, CVE-2007-3655, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232 Available for: Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities exist in J2SE 5.0
Description: Multiple vulnerabilities exist in J2SE 5.0, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating J2SE 5.0 to version 1.5.0_13. These issues are already addressed in systems running Mac OS X v10.5 and later.
Java Release 6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.10 and Mac OS X v10.4.11 The download file is named: "JavaForMacOSX10.4Release6.dmg"
Its SHA-1 digest is: ee4e261070354b0f95f88a92a1b00f8cf39886c4
Information will also be posted to the Apple Product Security web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867
wsBVAwUBR2LK18gAoqu4Rp5tAQgG8gf/UCD9npaJL3to97F+On2L7AUmEXgKh7N0
mrT0GErNHmUiXaLHrAJ5GH2e/SYVGpfV9PlyV2iNAx4d1lXhM0hXAwINZfTDy0nm
ZpBBvwRjWeZSRaJk6saM0vIYt+tCQMREFR7m5qBrnteo2wA3bUuFBZmwJMyWz3ls
boTozFrbr9mDzk/mTnTxHvEDZAAEbH21aqyZPEuFK8FwGbrCffIKl+EmUPiMxjhe
SxqUl4eGep+WcwosOdsxqwlo9ia9UcO21zGlgr75Ibu5W/xvoHO+yAHHufm6CI4b
JpU3/tDvdyPUMFDJayNik622GlbZUNEIfDoasOfKPiyHv93gCValtg==
=CNOz
-----END PGP SIGNATURE-----
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Fri, 14 Dec 2007 18:50:00 GMT
Domain affected: Technical