juker12
Activo
Lo acabo de ver, no me habia dado "cuen hol"
Entrar
or
Registrarse
para completar la lectura
Security Update 2006-003
- Autor del tema juker12
- Fecha de inicio
juker12
Activo
Se actualiza sin mayores complicaciones
bajar el update, copiar tu actual kernel en tu escritorio
instalar de forma silenciosa con pacisfic, justo despues aplicar el paquete de desencriptados de la 10.4.6
borrar el kernel que hay en raiz que ha puesto el update este
reemplazar por el tuyo que esta en el escritorio
abrir utilidad de discos y reparar permisos
Reiniciar.
Para Qtime 7.1
No hay mayor problema, solo que procura tener un serial valido para la pro, por que esto lo han cambiado y si no lo tienes, te quedas sin Pro y sin las carasteristicas adicionales.
A la tarde vere con mas calma el tema de core nuevo.
bajar el update, copiar tu actual kernel en tu escritorio
instalar de forma silenciosa con pacisfic, justo despues aplicar el paquete de desencriptados de la 10.4.6
borrar el kernel que hay en raiz que ha puesto el update este
reemplazar por el tuyo que esta en el escritorio
abrir utilidad de discos y reparar permisos
Reiniciar.
Para Qtime 7.1
No hay mayor problema, solo que procura tener un serial valido para la pro, por que esto lo han cambiado y si no lo tienes, te quedas sin Pro y sin las carasteristicas adicionales.
A la tarde vere con mas calma el tema de core nuevo.
juker12
Activo
No es ninguna broma el update, parece que ya al maquintos le estan haciendo pupa
Security Update 2006-003
AppKit
CVE-ID: CVE-2006-1439
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: Under certain circumstances when switching between text input fields, NSSecureTextField may fail to re-enable secure event input. This may allow other applications in the same window session to see some input characters and keyboard events. This update addresses the issue by ensuring secure event input is properly enabled. This issue does not affect systems prior to Mac OS X v10.4.
AppKit, ImageIO
CVE-ID: CVE-2006-1982, CVE-2006-1983, CVE-2006-1984
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
Description: The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images.
BOM
CVE-ID: CVE-2006-1985
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Expanding an archive may lead to arbitrary code execution
Description: By carefully crafting an archive (such as a Zip archive) containing long path names, an attacker may be able to trigger a heap buffer overflow in BOM. This may result in arbitrary code execution. BOM is used to handle archives in Finder and other applications. This update adresses the issue by properly handling the boundary conditions.
BOM
CVE-ID: CVE-2006-1440
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Expanding a malicious archive may cause arbitrary files to be created or overwritten
Description: An issue in the handling of directory traversal symbolic links encountered in archives may cause BOM to create or overwrite files in arbitrary locations accessible to the user expanding the archive. BOM handles archives on behalf of Finder and other applications. This update addresses the issue by ensuring that files expanded from an archive are not placed outside the destination directory.
CFNetwork
CVE-ID: CVE-2006-1441
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Visiting malicious web sites may lead to arbitrary code execution
Description: An integer overflow in the handling of chunked transfer encoding could lead to arbitrary code execution. CFNetwork is used by Safari and other applications. This update addresses the issue by performing additional validation. The issue does not affect systems prior to Mac OS X v10.4.
ClamAV
CVE-ID: CVE-2006-1614, CVE-2006-1615, CVE-2006-1630
Available for: Mac OS X Server v10.4.6
Impact: Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
Description: The ClamAV virus scanning software has been updated to incorporate security fixes in the latest release. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV.
CoreFoundation
CVE-ID: CVE-2006-1442
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Registration of an untrusted bundle may lead to arbitrary code execution
Description: Under certain circumstances, bundles are implicitly registered by applications or the system. A feature of the bundle API allows dynamic libraries to load and execute when a bundle is registered, even if the client application does not explicitly request it. As a result, arbitrary code may be executed from an untrusted bundle without explicit user interaction. This update addresses the issue by only loading and executing libraries from the bundle at the appropriate time.
CoreFoundation
CVE-ID: CVE-2006-1443
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: String conversions to file system representation may lead to arbitrary code execution
Description: An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue.
Finder
CVE-ID: CVE-2006-1448
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Launching an Internet Location item may lead to arbitrary code execution
Description: Internet Location items are simple URL containers which may reference
FTPServer
CVE-ID: CVE-2006-1445
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution
Description: Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions.
Flash Player
CVE-ID: CVE-2005-2628, CVE-2006-0024
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Playing Flash content may lead to arbitrary code execution
Description: Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at
ImageIO
CVE-ID: CVE-2006-1552
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution
Description: An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brent Simmons of NewsGator Technologies, Inc. for reporting this issue.
Keychain
CVE-ID: CVE-2006-1446
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: An application may be able to use Keychain items when the Keychain is locked
Description: When a Keychain is locked, it is not possible for applications to access the Keychain items it contains without first requesting that the Keychain be unlocked. However, an application that has obtained a reference to a Keychain item prior to the Keychain being locked may, in certain circumstances, be able to continue using that Keychain item regardless of whether the Keychain is locked or unlocked. This update addresses the issue by rejecting requests to use Keychain items when the Keychain is locked. Credit to Tobias Hahn of HU Berlin for reporting this issue.
LaunchServices
CVE-ID: CVE-2006-1447
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a malicious web site may lead to arbitrary code execution
Description: Long file name extensions may prevent Download Validation from correctly determining the application with which an item may be opened. As a result, an attacker may be able to bypass Download Validation and cause Safari to automatically open unsafe content if the "Open `safe' files after downloading" option is enabled and certain applications are not installed. This update addresses the issue through improved checking of the file name extension. This issue does not affect systems prior to Mac OS X v10.4.
libcurl
CVE-ID: CVE-2005-4077
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: URL handling in libcurl may lead to arbitrary code execution
Description: The open source HTTP library libcurl contains buffer overflows in URL handling. Applications using curl for URL handling may trigger the issue and lead to arbitrary code execution. This update addresses the issue by incorporating libcurl version 7.15.1. This issue does not affect systems prior to Mac OS X v10.4.
Mail
CVE-ID: CVE-2006-1449
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a malicious mail message may lead to arbitrary code execution
Description: By preparing a specially-crafted email message with MacMIME encapsulated attachments, an attacker may trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail. This issue corrects the issue by performing additional validation of messages.
Mail
CVE-ID: CVE-2006-1450
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a malicious mail message may lead to arbitrary code execution
Description: The handling of invalid color information in enriched text email messages could cause the allocation and initialization of arbitrary classes. This may lead to arbitrary code execution with the privileges of the user running Mail. This update addresses the issue by properly handling malformed enriched text data.
MySQL Manager
CVE-ID: CVE-2006-1451
Available for: Mac OS X Server v10.4.6
Impact: MySQL database may be accessed with an empty password
Description: During the initial setup of a MySQL database server using MySQL Manager, the "New MySQL root password" may be supplied. However, this password is not actually used. As a result, the MySQL root password will remain empty. A local user may then obtain access to the MySQL database with full privileges. This update addresses the issue by ensuring that the entered password is saved. This issue does not affect systems prior to Mac OS X Server v10.4. Credit to Ben Low of the University of New South Wales for reporting this issue.
Preview
CVE-ID: CVE-2006-1452
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Navigating a maliciously-crafted directory hierarchy may lead to arbitrary code execution
Description: When navigating very deep directory hierarchies in Preview, a stack buffer overflow may be trigger. By carefully crafting such a directory hierarchy, it may be possible for an attacker to cause arbitrary code execution if the directories are opened in Preview. This issue does not affect systems prior to Mac OS X v10.4.
QuickDraw
CVE-ID: CVE-2006-1453, CVE-2006-1454
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted PICT image may lead to arbitrary code execution
Description: Two issues affect QuickDraw when processing PICT images. Malformed font information may cause a stack buffer overflow, and malformed image data may cause a heap buffer overflow. By carefully crafting a malicious PICT image, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of PICT images. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime Streaming Server
CVE-ID: CVE-2006-1455
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6
Impact: A malformed QuickTime movie can cause QuickTime Streaming Server to crash
Description: A QuickTime movie that has a missing track may cause a null pointer dereference, causing the server process to crash. This causes active client connections to be interrupted. However, the server is restarted automatically. This update addresses the issue by producing an error when malformed movies are encountered.
QuickTime Streaming Server
CVE-ID: CVE-2006-1456
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6
Impact: Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution
Description: By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue.
Ruby
CVE-ID: CVE-2005-2337
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Ruby safe level restrictions may be bypassed
Description: The Ruby scripting language contains a mechanism called "safe levels" that is used to restrict certain operations. This mechanism is most commonly used when running privileged Ruby applications or Ruby network applications. In certain circumstances, an attacker may be able to bypass the restrictions in such applications. Applications that do not rely on safe levels are unaffected. This update addresses the issue by ensuring that safe levels cannot be bypassed.
Safari
CVE-ID: CVE-2006-1457
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Visiting malicious web sites may lead to file manipulation or arbitrary code execution
Description: When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched. This update addresses the issue by not resolving downloaded symbolic links. This issue does not affect systems prior to Mac OS X v10.4.
Security Update 2006-003
AppKit
CVE-ID: CVE-2006-1439
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: Under certain circumstances when switching between text input fields, NSSecureTextField may fail to re-enable secure event input. This may allow other applications in the same window session to see some input characters and keyboard events. This update addresses the issue by ensuring secure event input is properly enabled. This issue does not affect systems prior to Mac OS X v10.4.
AppKit, ImageIO
CVE-ID: CVE-2006-1982, CVE-2006-1983, CVE-2006-1984
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
Description: The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images.
BOM
CVE-ID: CVE-2006-1985
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Expanding an archive may lead to arbitrary code execution
Description: By carefully crafting an archive (such as a Zip archive) containing long path names, an attacker may be able to trigger a heap buffer overflow in BOM. This may result in arbitrary code execution. BOM is used to handle archives in Finder and other applications. This update adresses the issue by properly handling the boundary conditions.
BOM
CVE-ID: CVE-2006-1440
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Expanding a malicious archive may cause arbitrary files to be created or overwritten
Description: An issue in the handling of directory traversal symbolic links encountered in archives may cause BOM to create or overwrite files in arbitrary locations accessible to the user expanding the archive. BOM handles archives on behalf of Finder and other applications. This update addresses the issue by ensuring that files expanded from an archive are not placed outside the destination directory.
CFNetwork
CVE-ID: CVE-2006-1441
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Visiting malicious web sites may lead to arbitrary code execution
Description: An integer overflow in the handling of chunked transfer encoding could lead to arbitrary code execution. CFNetwork is used by Safari and other applications. This update addresses the issue by performing additional validation. The issue does not affect systems prior to Mac OS X v10.4.
ClamAV
CVE-ID: CVE-2006-1614, CVE-2006-1615, CVE-2006-1630
Available for: Mac OS X Server v10.4.6
Impact: Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
Description: The ClamAV virus scanning software has been updated to incorporate security fixes in the latest release. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV.
CoreFoundation
CVE-ID: CVE-2006-1442
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Registration of an untrusted bundle may lead to arbitrary code execution
Description: Under certain circumstances, bundles are implicitly registered by applications or the system. A feature of the bundle API allows dynamic libraries to load and execute when a bundle is registered, even if the client application does not explicitly request it. As a result, arbitrary code may be executed from an untrusted bundle without explicit user interaction. This update addresses the issue by only loading and executing libraries from the bundle at the appropriate time.
CoreFoundation
CVE-ID: CVE-2006-1443
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: String conversions to file system representation may lead to arbitrary code execution
Description: An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue.
Finder
CVE-ID: CVE-2006-1448
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Launching an Internet Location item may lead to arbitrary code execution
Description: Internet Location items are simple URL containers which may reference
Entrar
or
Registrarse
para completar la lectura
Entrar
or
Registrarse
para completar la lectura
and file:// URLs, as well as a few other URL schemes. These different types of Internet Location items are visually distinct, and meant to be safe to explicitly launch. However, the scheme of the URL may be different than the Internet Location type. As a result, an attacker may be able to convince a user to launch a supposedly benign item (such as a Web Internet Location,
Entrar
or
Registrarse
para completar la lectura
, with the result that some other URL scheme is actually used. In certain circumstances, this may lead to arbitrary code execution. This update addresses the issues by restricting the URL scheme based on the Internet Location type.FTPServer
CVE-ID: CVE-2006-1445
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution
Description: Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions.
Flash Player
CVE-ID: CVE-2005-2628, CVE-2006-0024
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Playing Flash content may lead to arbitrary code execution
Description: Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at
Entrar
or
Registrarse
para completar la lectura
. This update addresses the issue by incorporating Flash Player version 8.0.24.0.ImageIO
CVE-ID: CVE-2006-1552
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution
Description: An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brent Simmons of NewsGator Technologies, Inc. for reporting this issue.
Keychain
CVE-ID: CVE-2006-1446
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: An application may be able to use Keychain items when the Keychain is locked
Description: When a Keychain is locked, it is not possible for applications to access the Keychain items it contains without first requesting that the Keychain be unlocked. However, an application that has obtained a reference to a Keychain item prior to the Keychain being locked may, in certain circumstances, be able to continue using that Keychain item regardless of whether the Keychain is locked or unlocked. This update addresses the issue by rejecting requests to use Keychain items when the Keychain is locked. Credit to Tobias Hahn of HU Berlin for reporting this issue.
LaunchServices
CVE-ID: CVE-2006-1447
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a malicious web site may lead to arbitrary code execution
Description: Long file name extensions may prevent Download Validation from correctly determining the application with which an item may be opened. As a result, an attacker may be able to bypass Download Validation and cause Safari to automatically open unsafe content if the "Open `safe' files after downloading" option is enabled and certain applications are not installed. This update addresses the issue through improved checking of the file name extension. This issue does not affect systems prior to Mac OS X v10.4.
libcurl
CVE-ID: CVE-2005-4077
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: URL handling in libcurl may lead to arbitrary code execution
Description: The open source HTTP library libcurl contains buffer overflows in URL handling. Applications using curl for URL handling may trigger the issue and lead to arbitrary code execution. This update addresses the issue by incorporating libcurl version 7.15.1. This issue does not affect systems prior to Mac OS X v10.4.
CVE-ID: CVE-2006-1449
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a malicious mail message may lead to arbitrary code execution
Description: By preparing a specially-crafted email message with MacMIME encapsulated attachments, an attacker may trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail. This issue corrects the issue by performing additional validation of messages.
CVE-ID: CVE-2006-1450
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a malicious mail message may lead to arbitrary code execution
Description: The handling of invalid color information in enriched text email messages could cause the allocation and initialization of arbitrary classes. This may lead to arbitrary code execution with the privileges of the user running Mail. This update addresses the issue by properly handling malformed enriched text data.
MySQL Manager
CVE-ID: CVE-2006-1451
Available for: Mac OS X Server v10.4.6
Impact: MySQL database may be accessed with an empty password
Description: During the initial setup of a MySQL database server using MySQL Manager, the "New MySQL root password" may be supplied. However, this password is not actually used. As a result, the MySQL root password will remain empty. A local user may then obtain access to the MySQL database with full privileges. This update addresses the issue by ensuring that the entered password is saved. This issue does not affect systems prior to Mac OS X Server v10.4. Credit to Ben Low of the University of New South Wales for reporting this issue.
Preview
CVE-ID: CVE-2006-1452
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Navigating a maliciously-crafted directory hierarchy may lead to arbitrary code execution
Description: When navigating very deep directory hierarchies in Preview, a stack buffer overflow may be trigger. By carefully crafting such a directory hierarchy, it may be possible for an attacker to cause arbitrary code execution if the directories are opened in Preview. This issue does not affect systems prior to Mac OS X v10.4.
QuickDraw
CVE-ID: CVE-2006-1453, CVE-2006-1454
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Viewing a maliciously-crafted PICT image may lead to arbitrary code execution
Description: Two issues affect QuickDraw when processing PICT images. Malformed font information may cause a stack buffer overflow, and malformed image data may cause a heap buffer overflow. By carefully crafting a malicious PICT image, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of PICT images. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime Streaming Server
CVE-ID: CVE-2006-1455
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6
Impact: A malformed QuickTime movie can cause QuickTime Streaming Server to crash
Description: A QuickTime movie that has a missing track may cause a null pointer dereference, causing the server process to crash. This causes active client connections to be interrupted. However, the server is restarted automatically. This update addresses the issue by producing an error when malformed movies are encountered.
QuickTime Streaming Server
CVE-ID: CVE-2006-1456
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6
Impact: Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution
Description: By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue.
Ruby
CVE-ID: CVE-2005-2337
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Ruby safe level restrictions may be bypassed
Description: The Ruby scripting language contains a mechanism called "safe levels" that is used to restrict certain operations. This mechanism is most commonly used when running privileged Ruby applications or Ruby network applications. In certain circumstances, an attacker may be able to bypass the restrictions in such applications. Applications that do not rely on safe levels are unaffected. This update addresses the issue by ensuring that safe levels cannot be bypassed.
Safari
CVE-ID: CVE-2006-1457
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Visiting malicious web sites may lead to file manipulation or arbitrary code execution
Description: When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched. This update addresses the issue by not resolving downloaded symbolic links. This issue does not affect systems prior to Mac OS X v10.4.
juker12
Activo
Si y no, asi no esta instalando lo nuevo de core, y yo acabo de hacerme un test, y a parte de los fix de seguridad, me ha aumentado core, cuarzo extreme en 5 puntos.
No da ningun problema si lo instalas entero, en serio
Y si no instalas core, te quedas con el culo al aire, es como si no instalaras nada, como dije antes, no es ninguna broma el update, mira lo que te pierdes si instalas como dice el foro pitinglis.
"CoreFoundation
CVE-ID: CVE-2006-1443
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: String conversions to file system representation may lead to arbitrary code execution
Description: An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue"
No da ningun problema si lo instalas entero, en serio
Y si no instalas core, te quedas con el culo al aire, es como si no instalaras nada, como dije antes, no es ninguna broma el update, mira lo que te pierdes si instalas como dice el foro pitinglis.
"CoreFoundation
CVE-ID: CVE-2006-1443
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: String conversions to file system representation may lead to arbitrary code execution
Description: An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue"
juker12
Activo
"Hola A todoa , perdonad unaa preguntita como coio el kernel? que carpeta es?? "
Es facil, esta en la raiz del disco donde esta mac instalado, es un archivo y se llama mach_kernel
Si no lo ves, es por que esta oculto quizas, para verlo, abre tu Terminal que esta en la carpeta Aplicaciones/Utilidades
escribe:
defaults write com.apple.finder AppleShowAllFiles -bool YES
Y ya podras verlo y copiarlo en tu escritorio o donde quieras.
Es facil, esta en la raiz del disco donde esta mac instalado, es un archivo y se llama mach_kernel
Si no lo ves, es por que esta oculto quizas, para verlo, abre tu Terminal que esta en la carpeta Aplicaciones/Utilidades
escribe:
defaults write com.apple.finder AppleShowAllFiles -bool YES
Y ya podras verlo y copiarlo en tu escritorio o donde quieras.
juker12
Activo
skeewiff dijo:
En serio, no es peligroso este update, creo que le estan haciendo pupa al mac, y apple esta vez prefiere arreglar problemas y no crear mala fama, antes de preocuparse de los mac "piratas"
Yo creo...que apple prepara una buena jugada para los mac piratas, pero para el update 10.4.7, no para los fix intermedios.
ardase
New member
Hola Juker he puesto el patch pero se me queda la pantalla con el fondo de escritorio y con el puntero del raton..... help!!!
he copiado el kernel al esritorio he instalada el update
y quitado el kernel que ha puesto el update con el del escritorio
y he reparadao permisos ....
he reiniciado y se ha quedado asi...
Bueno con las ansias y ahora leyendo mejor hay 2 cosas que no he echo correctamente:
- el tema del pacifist
- y... el paquete desencriptados de la 10.4.6 por cierto que arcibos o carpetas son?
estoy reinstalando suerte que no tengo nada .....
he copiado el kernel al esritorio he instalada el update
y quitado el kernel que ha puesto el update con el del escritorio
y he reparadao permisos ....
he reiniciado y se ha quedado asi...
Bueno con las ansias y ahora leyendo mejor hay 2 cosas que no he echo correctamente:
- el tema del pacifist
- y... el paquete desencriptados de la 10.4.6 por cierto que arcibos o carpetas son?
estoy reinstalando suerte que no tengo nada .....
miliuco
Activo
Vaya, Juker, sí que está cogiendo fama OSX fuera de los ambientes maqueros, ya están empezando a proliferar tocahuevos y demás familias. Tus instrucciones parecen claras pero siempre da reparo hacer cosas de éstas cuando uno tiene el sistema tan arregladito y tan funcional. Y yo también pienso, como tú, que a no tardar Apple sacará un obstáculo nuevo aprovechando alguna actualización (no creo que esperen a Leopard).
juker12
Activo
ardase dijo:
A ver si puedo yo,
Creo que has instalado el update este ultimo, pero antes de reiniciar no aplicastes los decriptados.
¿es correcto? si
Bien, no nos queda mas remedido que aplicarlos, para ello, o bien desde otra particion con mac instalado lo aplicas, o bien entrando en el boot.
Esto ultimo, cuando arrancas el pc, pulsas F8, y ahora en la linea de comando, escribes -s
desde ahi puedes empezar a trabajar
Una vez dentro, haces un cd /ruta donde este tus decriptados, y aplicas el replace.sh
Y asi sales del apuro.
Ya dentro de mac, aplicate los desencriptados, pero de la 10.4.6, es un paquete que se llama "10.4.6_decrypted.pkg"
Ahhh, otra cosa, aqui nadie da el coñazo hombre, nos encanta ayudar a los demas, nadie nos obliga y de paso aprendemos unos de otros, y otros de unos, es reciproco
ardase
New member
Horror no puedo no puedo,,, me doy por vencido ya que no me aclaroa el archivo que mencinas donde esta?
yo tendo el dvd del tito Jas pero no encuentro ese ficheroo...
llevo solo 3 dias con esto ehhh
bueno he enocntrado este que se asemeja... 10.4.6intel.SSE3.pkg
no se si dejarlo sin actualizar por ahora me va bienn
yo tendo el dvd del tito Jas pero no encuentro ese ficheroo...
llevo solo 3 dias con esto ehhh
bueno he enocntrado este que se asemeja... 10.4.6intel.SSE3.pkg
no se si dejarlo sin actualizar por ahora me va bienn
yeyo
New member
No te des por vencido , y no te procupes que por aqui la gente es fenomenal y ayudan lo que haga falta .
Yo tengo el dvd de myzar y he encontado la carpeta -- decrypted_file --- aqui :
Le das dos click al dvd y en la carpeta maxxuss_pacht_solution_v1.0 otro click y ahi veras la carpeta .
Yo es la que he utilizado , creo que te puede servir ,
Saludos.
Yo tengo el dvd de myzar y he encontado la carpeta -- decrypted_file --- aqui :
Le das dos click al dvd y en la carpeta maxxuss_pacht_solution_v1.0 otro click y ahi veras la carpeta .
Yo es la que he utilizado , creo que te puede servir ,
Saludos.