-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-11-09-1 Security Update 2009-006 / Mac OS X v10.6.2
Security Update 2009-006 / Mac OS X v10.6.2 is now available and addresses the following: AFP Client CVE-ID: CVE-2009-2819 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Accessing a malicious AFP server may lead to an unexpected system termination or arbitrary code execution with system privileges Description: Multiple memory corruption issues exist in AFP Client. Connecting to a malicious AFP Server may cause an unexpected system termination or arbitrary code execution with system privileges. This update addresses the issues through improved bounds checking. These issues do not affect Mac OS X v10.6 systems. Credit: Apple. Adaptive Firewall CVE-ID: CVE-2009-2818 Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 and v10.6.1 Impact: A brute force or dictionary attack to guess an SSH login password may not be detected by Adaptive Firewall Description: Adaptive Firewall responds to suspicious activity, such as an unusual volume of access attempts, by creating a temporary rule to restrict access. In certain circumstances, Adaptive Firewall may not detect SSH login attempts using invalid user names. This update addresses the issue through improved detection of invalid SSH login attempts. This issue only affects Mac OS X Server systems. Credit: Apple. Apache CVE-ID: CVE-2009-0023, CVE-2009-1191, CVE-2009-1195, CVE-2009-1890, CVE-2009-1891, CVE-2009-1955, CVE-2009-1956 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Multiple vulnerabilities in Apache 2.2.11 Description: Apache is updated to version 2.2.13 to address several vulnerabilities, the most serious of which may lead to privilege escalation. Further information is available via the Apache web site at http://httpd.apache.org/ Apache CVE-ID: CVE-2009-2823 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: A remote attacker can conduct cross-site scripting attacks against Apache web server Description: The Apache web server allows the TRACE HTTP method. A remote attacker may use this facility to conduct cross-site scripting attacks through certain web client software. This issue is addressed by updating the configuration to disable support for the TRACE method. Apache Portable Runtime CVE-ID: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956, CVE-2009-2412 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Applications using Apache Portable Runtime (apr) may be exploited for code execution Description: Multiple integer overflows in Apache Portable Runtime (apr) may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by updating Apache Portable Runtime to version 1.3.8 on Mac OS X v10.6 systems, and by applying the Apache Portable Runtime patches on Mac OS X v10.5.8 systems. Systems running Mac OS X v10.6 are affected only by CVE-2009-2412. Further information is available via the Apache Portable Runtime web site at http://apr.apache.org/ ATS CVE-ID: CVE-2009-2824 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution Description: Multiple buffer overflows exist in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This update addresses the issues through improved bounds checking. These issues do not affect Mac OS X v10.6 systems. Credit: Apple. Certificate Assistant CVE-ID: CVE-2009-2825 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: A user may be misled into accepting a certificate for a different domain Description: An implementation issue exists in the handling of SSL certificates which have NUL characters in the Common Name field. A user could be misled into accepting an attacker-crafted certificate that visually appears to match the domain visited by the user. This issue is mitigated as Mac OS X does not consider such a certificate to be valid for any domain. This update addresses the issue through improved handling of SSL certificates. CoreGraphics CVE-ID: CVE-2009-2826 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: Multiple integer overflows in CoreGraphics' handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking. These issues do not affect Mac OS X v10.6 systems. Credit: Apple. CoreMedia CVE-ID: CVE-2009-2202 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to Tom Ferris of the Adobe Secure Software Engineering Team for reporting this issue. CoreMedia CVE-ID: CVE-2009-2799 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue. CUPS CVE-ID: CVE-2009-2820 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Acessing a maliciously crafted website or URL may lead to a cross-site scripting or HTTP response splitting attack Description: An issue in CUPS may lead to cross-site scripting and HTTP response splitting. Accessing a maliciously crafted web page or URL may allow an attacker to access content available to the current local user via the CUPS web interface. This could include print system configuration and the titles of jobs that have been printed. This issue is addressed through improved handling of HTTP headers and HTML templates. Credit: Apple. Dictionary CVE-ID: CVE-2009-2831 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: A user on the local network may be able to cause arbitrary code execution Description: A design issue in Dictionary allows maliciously crafted Javascript to write arbitrary data to arbitary locations on the user's filesystem. This may allow another user on the local network to execute arbitrary code on the user's system. This update addresses the issue by removing the vulnerable code. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. DirectoryService CVE-ID: CVE-2009-2828 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in DirectoryService. This may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update only affects systems configured as DirectoryService servers. This update addresses the issue through improved memory handling. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. Disk Images CVE-ID: CVE-2009-2827 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of disk images containing FAT filesystems. Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. Dovecot CVE-ID: CVE-2009-3235 Available for: Mac OS X Server v10.6 and v10.6.1 Impact: A local user may cause an unexpected application termination or arbitrary code execution with system privilege Description: Multiple buffer overflows exist in dovecot-sieve. By implementing a maliciously crafted dovecot-sieve script, a local user may cause an unexpected application termination or arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of dovecot-sieve scripts. This issue affects Mac OS X Server systems only. This issue does not affect systems prior to Mac OS X v10.6. Event Monitor CVE-ID: CVE-2009-2829 Available for: Mac OS X Server v10.5.8 Impact: A remote attacker may cause log injection Description: A log injection issue exists in Event Monitor. By connecting to the SSH server with maliciously crafted authentication information, a remote attacker may cause log injection. This may lead to a denial of service as log data is processed by other services. This update addresses the issue through improved escaping of XML output. This issue affects Mac OS X Server systems only. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. fetchmail CVE-ID: CVE-2009-2666 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: fetchmail is updated to 6.3.11 Description: fetchmail has been updated to 6.3.11 to address a man- in-the-middle issue. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/ file CVE-ID: CVE-2009-2830 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Running the file command on a maliciously crafted Common Document Format (CDF) file may lead to an unexpected application termination or arbitrary code execution Description: Multiple buffer overflows vulnerabilities exist in the file command line tool. Running the file command on a maliciously crafted Common Document Format (CDF) file may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by updating file to version 5.03. These issues do not affect systems prior to Mac OS X v10.6. FTP Server CVE-ID: CVE-2009-2832 Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 and v10.6.1 Impact: An attacker with access to FTP and the ability to create directories on a system may be able to cause unexpected application termination or arbitrary code execution Description: A buffer overflow exists in FTP Server's CWD command line tool. Issuing the CWD command on a deeply nested directory hierarchy may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue affects Mac OS X Server systems only. Credit: Apple. Help Viewer CVE-ID: CVE-2009-2808 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Using Help Viewer on an untrusted network may result in arbitrary code execution Description: Help Viewer does not use HTTPS for viewing remote Apple Help content. A user on the local network may send spoofed HTTP responses containing malicious help:runscript links. This update addresses the issue by using HTTPS when requesting remote Apple Help content. Credit to Brian Mastenbrook for reporting this issue. ImageIO CVE-ID: CVE-2009-2285 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. International Components for Unicode CVE-ID: CVE-2009-2833 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Applications that use the UCCompareTextDefault API may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in the UCCompareTextDefault API, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect Mac OS X v10.6 systems. Credit to Nikita Zhuk and Petteri Kamppuri of MK&C for reporting this issue. IOKit CVE-ID: CVE-2009-2834 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: A non-privileged user may be able to modify the keyboard firmware Description: A non-privileged user may alter the firmware in an attached USB or Bluetooth Apple keyboard. This update addresses the issue by requiring system privileges to send firmware to USB or Bluetooth Apple keyboards. Credit to K. Chen of Georgia Institute of Technology for reporting this issue. IPSec CVE-ID: CVE-2009-1574, CVE-2009-1632 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Multiple vulnerabilities in the racoon daemon may lead to a denial of service Description: Multiple vulnerabilities in the racoon daemon's ipsec- tools before 0.7.2 may lead to a denial of service. This update addresses the issues by applying patches from the IPsec-Tools project. Further information is available via the IPsec-Tools web site at http://ipsec-tools.sourceforge.net/ Kernel CVE-ID: CVE-2009-2835 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: A local user may cause information disclosure, an unexpected system shutdown, or arbitrary code execution Description: Multiple input validation issues exist in Kernel's handling of task state segments. These may allow a local user to cause information disclosure, an unexpected system shutdown, or arbitrary code execution. This update addresses the issues through improved input validation. Credit to Regis Duchesne of VMware, Inc. for reporting this issue. Launch Services CVE-ID: CVE-2009-2810 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Attempting to open unsafe downloaded content may not lead to a warning Description: When Launch Services is called to open a quarantined folder, it will recursively clear quarantine information from all files contained within the folder. The quarantine information that is cleared is used trigger a user warning prior to opening the item. This would allow the user to launch a potentially unsafe item, such as an application, without being presented with the appropriate warning dialog. This update addresses the issue by not clearing this quarantine information from the folder's content. This issue does not affect systems prior to Mac OS X v10.6. Credit: Apple. libsecurity CVE-ID: CVE-2009-2409 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Support for X.509 certificates with MD2 hashes may expose users to spoofing and information disclosure as attacks improve Description: There are known cryptographic weaknesses in the MD2 hash algorithm. Further research could allow the creation of X.509 certificates with attacker controlled values that are trusted by the system. This could expose X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. While it is not yet considered computationally feasible to mount an attack using these weaknesses, this update disables support for an X.509 certificate with an MD2 hash for any use other than as trusted root certificate. This is a proactive change to protect users in advance of improved attacks against the MD2 hash algorithm. Credit to Dan Kaminsky of IOACTIVE and Microsoft Vulnerability Research (MSVR) for reporting this issue. libxml CVE-ID: CVE-2009-2414, CVE-2009-2416 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Parsing maliciously crafted XML content may lead to an unexpected application termination Description: Multiple use-after-free issues exist in libxml2, the most serious may lead to an unxexpected application termination. This update addresses the issues through improved memory handling. Credit to Rauli Kaksonen and Jukka Taimisto from the CROSS project at Codenomicon Ltd. for reporting these issues. Login Window CVE-ID: CVE-2009-2836 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: A user may log in to any account without supplying a password Description: A race condition exists in Login Window. If an account on the system has no password, such as the Guest account, a user may log in to any account without supplying a password. This update addresses the issue through improved access checks. This issue does not affect systems prior to Mac OS X v.10.6. OpenLDAP CVE-ID: CVE-2009-2408 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: A man-in-the-middle attacker may be able to impersonate a trusted OpenLDAP server or user even when SSL is being used Description: An implementation issue exists in OpenLDAP's handling of SSL certificates which have NUL characters in the Common Name field. Using a maliciously crafted SSL certificate, an attacker may be able to perform a man-in-the-middle attack on OpenLDAP transactions which use SSL. This update addresses the issue through improved handling of SSL certificates. OpenLDAP CVE-ID: CVE-2007-5707, CVE-2007-6698, CVE-2008-0658 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Multiple vulnerabilities in OpenLDAP Description: Multiple vulnerabilities exist in OpenLDAP, the most serious of which may lead a denial of service or arbitrary code execution. This update addresses the issues by applying the OpenLDAP patches for the referenced CVE IDs. Further information is available via the OpenLDAP web site at http://www.openldap.org/ These issues do not affect Mac OS X v10.6 systems. OpenSSH CVE-ID: CVE-2008-5161 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Data in an OpenSSH session may be disclosed Description: An error handling issue exists in OpenSSH, which may lead to the disclosure of certain data in an SSH session. This update addresses the issue by updating OpenSSH to version 5.2p1. Further information is available via the OpenSSH web site at http://www.openssh.com/txt/release-5.2 This issue does not affect Mac OS X v10.6 systems. PHP CVE-ID: CVE-2009-3291, CVE-2009-3292, CVE-2009-3293 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Multiple vulnerabilities in PHP 5.2.10 Description: PHP is updated to version 5.2.11 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues do not affect Mac OS X v10.6 systems. QuickDraw Manager CVE-ID: CVE-2009-2837 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickDraw's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to Nicolas Joly of VUPEN Vulnerability Research Team for reporting this issue. QuickLook CVE-ID: CVE-2009-2838 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow in QuickLook's handling of Microsoft Office files may lead to a buffer overflow. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. QuickTime CVE-ID: CVE-2009-2202 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to Tom Ferris of the Adobe Secure Software Engineering Team for reporting this issue. QuickTime CVE-ID: CVE-2009-2799 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue. QuickTime CVE-ID: CVE-2009-2203 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in QuickTime's handling of MPEG-4 video files. Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to Alex Selivanov for reporting this issue. QuickTime CVE-ID: CVE-2009-2798 Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickTime's handling of FlashPix files. Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to Damian Put working with TippingPoint and the Zero Day Initiative for reporting this issue. FreeRADIUS CVE-ID: CVE-2009-3111 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: A remote attacker may terminate the operation of the RADIUS service Description: An issue exists in FreeRADIUS in the handling of Access-Request messages. A remote attacker may cause the RADIUS service to terminate by sending an Access-Request message containing a Tunnel-Password attribute with a zero-length attribute value. After any unexpected termination, the RADIUS service will be automatically restarted. This update addresses the issue through improved validation of zero-length attributes. This issue does not affect Mac OS X v10.6 systems. Screen Sharing CVE-ID: CVE-2009-2839 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Accessing a malicious VNC server may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues exist in the Screen Sharing client. Accessing a malicious VNC server, such as by opening a vnc:// URL, may cause an unexpected application termination or arbitrary code execution. This update addresses the issues through improved memory handling. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. Spotlight CVE-ID: CVE-2009-2840 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: A local user may manipulate files with the privileges of another user Description: An insecure file operation exists in Spotlight's handling of temporary files. This could allow a local user to overwrite files with the privileges of another user. This update addresses the issue through improved handling of temporary files. This issue does not affect Mac OS X v10.6 systems. Credit: Apple. Subversion CVE-ID: CVE-2009-2411 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1 Impact: Accessing a Subversion repository may lead to an unexpected application termination or arbitrary code execution Description: Multiple heap buffer overflows in Subversion may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues by updating Subversion to version 1.6.5 for Mac OS X v10.6 systems, and by applying the Subversion patches for Mac OS X v10.5.8 systems. Further information is available via the Subversion web site at http://subversion.tigris.org/ Security Update 2009-006 / Mac OS X v10.6.2 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2009-006 or Mac OS X v10.6.2. For Mac OS X v10.6.1 The download file is named: MacOSXUpd10.6.2.dmg Its SHA-1 digest is: f222714b67a8a982f6d11df51987dd09a448130d For Mac OS X v10.6 The download file is named: MacOSXUpdCombo10.6.2.dmg Its SHA-1 digest is: adbe2e8a81e227c1903dd049b6a3ea5f60b6ea49 For Mac OS X Server v10.6.1 The download file is named: MacOSXServerUpd10.6.2.dmg Its SHA-1 digest is: 06ba39076d1f56d216e1dafde7b9e7c93fdcd4dc For Mac OS X Server v10.6 The download file is named: MacOSXServerUpdCombo10.6.2.dmg Its SHA-1 digest is: ff61766cb34e82a5aa2d813392511c00231de684 For Mac OS X v10.5.8 The download file is named: SecUpd2009-006.dmg Its SHA-1 digest is: 8eb0c42c84cf8eebe025d64114dbc861a99a67b0 For Mac OS X Server v10.5.8 The download file is named: SecUpdSrvr2009-006.dmg Its SHA-1 digest is: b8570d8c678b68ea5d9163af5232a91d8670cf5c Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQEcBAEBAgAGBQJK+HqdAAoJEHkodeiKZIkByLgH/iGfGgxV0DsAkZkKJVRJcgW8 K8NDKHZHA0TdIZ89WFG9BBt+6uIUIG1KxoH2qukbFGVCgkfZFfpBgeHJ3wXPPhf2 taMwNtdo2K/lBLnKk/0Dlcla4ZYsYQjOI+XajEyF+0xXLSRQo+RmYect4zk1GuBx JOQcsZ4Bmu1pIJsE66XbXl0kaPU8gGGly3MJwdxJktOiPqhniBJ9KDsvGPVkN0uP 4MHbYp7XsVdJKrKk1U41klS4xyAWGcrx3cT/iRwRrBkGWd6sAvATd2/9dAutEtT2 pDkJG+M0brxV4o1NhvCQLQ6+ogU/VVbZEC6mqOYN96I3cElAexlLPNRBxYeWALQ= =qts6 -----END PGP SIGNATURE----- *********************************** * POST TO MEDIANEWS@ETSKYWARN.NET * *********************************** Medianews mailing list Medianews@etskywarn.net http://lists.etskywarn.net/mailman/listinfo/medianews