=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN211
_____________________________________________________________________

DATE                      : 03/06/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running iTunes versions prior to 8.2.

======================================================================
http://support.apple.com/kb/HT3592
______________________________________________________________________


APPLE-SA-2009-06-01-2 iTunes 8.2

iTunes 8.2 is now available and addresses the following:

iTunes
CVE-ID:  CVE-2009-0950
Available for:  Mac OS X v10.4.10 or later,
Mac OS X Server v10.4.10 or later, Windows Vista, XP SP2
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A stack buffer overflow exists in iTunes when parsing
"itms:" URLs. Accessing a maliciously crafted "itms:" URL may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
Credit to Will Drewry for reporting this issue.


iTunes 8.2 may be obtained from:
http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named: "iTunes8.2.dmg"
Its SHA-1 digest is: a07c4fb0dfd94ba238024cf8d448165da24e5be5

For Windows XP / Vista:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 16f5b1e787b36aece842ea5ae80bfc6bf2b32b19

For Windows Vista 64 Bit:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: b8739f847f2b66835f4f4b542b3308de96d418ed

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================