APPLE-SA-2008-12-15 Security Update 2008-008 / Mac OS X v10.5.6

The 10.5.6 Update is recommended for all users running Mac OS X Leopard and includes general operating system fixes that enhance the stability, compatibility and security of your Mac.

For detailed information on this update, please visit this website: http://support.apple.com/kb/HT3194.
For detailed information on security updates, please visit this website: http://support.apple.com/kb/HT1222.

iLife Support 8.3.1 is now available and addresses the following security issues:

ImageIO
CVE-ID:  CVE-2008-2327
Available for:  iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact:  Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description:  Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. These issues are already addressed in systems running Mac OS X v10.5.5. Credit: Apple.

ImageIO
CVE-ID:  CVE-2008-2332
Available for:  iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact:  Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exits in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. This issue is already addressed in systems running Mac OS X v10.5.5. Credit to Robert Swiecki of Google Security Team for reporting this issue.

ImageIO
CVE-ID:  CVE-2008-3608
Available for:  iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact:  Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of ICC profiles. This issue is already addressed in systems running Mac OS X v10.5.5. Credit: Apple.

iLife Support 8.3.1 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: "iLifeSupport.dmg"
Its SHA-1 digest is: 2911f4608c3c69eb8056a5bf6d5186a4f403517d

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

The 10.4.10 Update is recommended for PowerPC and Intel-based Mac computers currently running Mac OS X Tiger.  This update includes general operating system fixes, as well as specific fixes or compatibility updates for the following applications and technologies: 

- RAW camera support
- Mounting and unmounting external USB devices
- Support for 3rd party software applications
- Security updates

For detailed information on this update, please visit this website: http://www.info.apple.com/kbnum/n305533.
For detailed information on security updates, please visit this website: http://www.info.apple.com/kbnum/n61798.

Security Update 2007-004 is recommended for all users and improves the security of the following components:

AFP Client
AirPort
CarbonCore
diskdev_cmds
fetchmail
ftpd
gnutar
Help Viewer
HID Family
Installer
Kerberos
Libinfo
Login Window
network_cmds
SMB
System Configuration
URLMount
Video Conference
WebDAV

For detailed information on this update, please visit this website:
http://docs.info.apple.com/article.html?artnum=61798

iPhoto 6.0.6
This update to iPhoto addresses issues associated with EXIF data compatibility and Photocasting.

10.4.9
The 10.4.9 Update is recommended for PowerPC and Intel-based Mac computers currently running Mac OS X Tiger version 10.4.8 and includes general operating system fixes, as well as specific fixes or compatibility updates for the following applications and technologies:

- RAW camera support
- Handling of large or malformed images that could cause crashes
- Image capture performance
- Mouse scrolling and keyboard shortcuts
- Font handling
- Playback quality, and bookmarks in DVD Player
- USB video conferencing cameras for use with iChat
- Bluetooth devices
- Browsing AFP servers
- Apple USB Modem
- Windows-created digital certificates
- Open and Print dialogs in applications that use Rosetta on Intel-based Macs
- Time zone and daylight saving for 2006 and 2007
- Security updates

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n304821.
For detailed information on Security Updates, please visit this website: http://www.info.apple.com/kbnum/n61798.

New update available for QuickTime. Read more for the details or run Software Update and get it now.

Security Update 2006-008 is now available and provides a fix for the
following security issue:

QuickTime for Java
Quartz Composer

CVE-ID: CVE-2006-5681

Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact: Visiting a malicious web site may lead to information disclosure

Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue.

Security Update 2006-008 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

For Mac OS X v10.4.8 (PowerPC)
The download file is named: "SecUpd2006-008Ti.dmg"
Its SHA-1 digest is: 32af5ee777a3672117db7b6e9d5c96884c7b6bde

For Mac OS X v10.4.8 (Intel)
The download file is named: "SecUpd2006-008Univ.dmg"
Its SHA-1 digest is: 08f2353b65540d94abf6a0b905442af825318409

This message is signed with Apple's Product Security PGP key,
and details are available at: http://www.apple.com/support/security/pgp/

Security Update 2006-007 is recommended for all users and improves the security of the following components:

AirPort
ATS
CFNetwork
Finder
Font Book
Font Importer
Installer
OpenSSL
PHP
PPP
Samba
Security Framework
VPN
WebKit
gnuzip
perl

For detailed information on this Update, please visit this website: http://docs.info.apple.com/article.html?artnum=61798

The 10.4.8 Update is recommended for all users and includes general operating system fixes, as well as specific fixes for the following applications and technologies:

- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance
- security updates

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n304200.

For detailed information on Security Updates, please visit this website: http://www.info.apple.com/kbnum/n61798.

APPLE-SA-2006-08-09 Security Update 2006-004 for Mac Pro

"Security Update 2006-004 for Mac Pro" is now available.

Security Update 2006-004 was released on August 1, and details are available via:
http://docs.info.apple.com/article.html?artnum=304063

The new Mac Pro product ships with Mac OS X v10.4.7 Build 8K1079. Also, the existing Xserve hardware is now shipping with Mac OS X Server v10.4.7 Build 8K1079.

The fixes provided in Security Update 2006-004 (August 1 release) are contained in Build 8K1079, with the exception of the ones listed below for ImageIO and OpenSSH. The fixes for these issues were not fully tested in time for the manufacturing of the Mac Pro, and are being provided via this security update.

This update is a proper subset of the full Security Update 2006-004 released on August 1. Existing systems that have already applied Security Update 2006-004 (Aug 1 release) do not need to install this update.