Apple on Thursday posted Security Update 2008-007, a new security patch for client and server versions of Mac OS X 10.5 “Leopard” and Mac OS X 10.4.11. The update is available for download from the Software Update system preference or from Apple’s Web site.
Multiple vulnerabilities have been address in the Apache 2.2.9 release, the most serious of which may lead to cross site request forgery. Root certificates have been updated, added to the list of system roots. ClamAV — the open-source anti-virus software included on Mac OS X Server — was updated to 0.94, addressing problems that could lead to arbitrary code execution.
ColorSync has been updated to address an issue involving a buffer overflow while handing images with embedded ICC profiles. An issue involving printer sharing and the HPGL filter has been corrected, and a Denial of Service (DoS) attack problem with the Finder has been fixed. An issue specific to Mac OS X 10.5.5 involving launchd has been corrected, along with a problem processing an XML document that could lead to unexpected app termination.
MySQL has been updated to 5.0.67 to address vulnerabilities; a networking problem involving the local IPC component of configd’s EAPOLController plug-in has been fixed; multiple vulnerabilities in PHP 4.4.8 have been addressed; a problem with Postfix has been fixed that could cause a remote attacker to send mail directly to local users; a problem handling maliciously-crafted PostScript files has been fixed; an issue with Leopard’s QuickLook and Microsoft Excel has been corrected; an update has been made to rlogin; Script Editor’s operation has been improved; Single Sign-On’s security is better; Tomcat, a Java Servlet application installed on Mac OS X Server 10.5.5, has been fixed; The text editor vim has been updated to 18.104.22.168; and access control for weblog postings with Mac OS X Server 10.4.11 has been improved.