===================================================================== CERT-Renater Note d'Information No. 2008/VULN389 _____________________________________________________________________ DATE : 25/09/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Mac OS X versions 10.4.11, Mac OS X Server versions 10.4.11. ====================================================================== http://support.apple.com/kb/HT1222 ______________________________________________________________________ APPLE-SA-2008-09-24 Java for Mac OS X 10.4, Release 7 Java for Mac OS X 10.4, Release 7 is now available and addresses the following issues: Java CVE-ID: CVE-2008-3637 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue. Java CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1195, CVE-2008-1196, CVE-2008-3104, CVE-2008-3107, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in Java 1.4.2_16 Description: Multiple vulnerabilities exist in Java 1.4.2_16, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.4 to version 1.4.2_18. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html Java CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, CVE-2008-3103, CVE-2008-3104, CVE-2008-3107, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in Java 1.5.0_13 Description: Multiple vulnerabilities exist in Java 1.5.0_13, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.5 to version 1.5.0_16. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html Java for Mac OS X 10.4, Release 7 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: "JavaForMacOSX10.4Release7.dmg" Its SHA-1 digest is: 67d17ba3e854101d890633f507b4c02e031b3a05 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================