Critical Patch Update – April 2009
CVE-2009-1233
Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to cause a denial of service (application crash) via an XML document containing many nested A elements. (CVSS:4.3) (Last Update:2010-08-21)
CVE-2009-1235
XNU 1228.9.59 and earlier on Apple Mac OS X 10.5.6 and earlier does not properly restrict interaction between user space and the HFS IOCTL handler, which allows local users to overwrite kernel memory and gain privileges by attaching an HFS+ disk image and performing certain steps involving HFS_GET_BOOT_INFO fcntl calls. (CVSS:7.2) (Last Update:2009-08-13)
CVE-2009-1238
Race condition in the HFS vfs sysctl interface in XNU 1228.8.20 and earlier on Apple Mac OS X 10.5.6 and earlier allows local users to cause a denial of service (kernel memory corruption) by simultaneously executing the same HFS_SET_PKG_EXTENSIONS code path in multiple threads, which is problematic because of lack of mutex locking for an unspecified global variable. (CVSS:7.2) (Last Update:2009-04-18)
CVE-2009-1237
Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allow local users to cause a denial of service (kernel memory consumption) via a crafted (1) SYS_add_profil or (2) SYS___mac_getfsstat system call. (CVSS:4.9) (Last Update:2009-04-18)
CVE-2009-1236
Heap-based buffer overflow in the AppleTalk networking stack in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allows remote attackers to cause a denial of service (system crash) via a ZIP NOTIFY (aka ZIPOP_NOTIFY) packet that overwrites a certain ifPort structure member. (CVSS:10.0) (Last Update:2009-04-18)
New pages and RSS feeds for security announcements
Separate Security Announcements by Type
To make the impact of different security advisories and announcements easier to see, they are now separated by type.
Drupal core security advisories: http://drupal.org/security
RSS feed for Drupal core: http://drupal.org/security/rss.xml
Contributed project security advisories: http://drupal.org/security/contrib
RSS feed for contributed projects: http://drupal.org/security/contrib/rss.xml
Public service announcements: http://drupal.org/security/psa
RSS feed for announcements: http://drupal.org/security/psa/rss.xml
We encourage those using RSS readers to track security-related developments to subscribe to all three of these feeds.
All posts to each of these three forums will still be sent to the one security announcements e-mail list. To subscribe to that e-mail list, once logged in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
All future public service announcements will only be posted to the Public service announcements page and feed.
Background on the Changes
At Drupalcon in Washington, D.C. earlier this month, members of the Security team held a “Birds of a Feather” session to discusses various topics including improvements to our process of communicating with the public.
One outcome of this meeting was that we decided to more clearly differentiate among security advisories for Drupal core (which affect all users) as opposed to security advisories for contributed projects (which are often used by only tens of sites). In addition, the security team has on occasion issued announcements (such as this one), which were previously mixed in with actual security advisories.
Since the Drupal 6.x upgrade of http://drupal.org, newsletter postings have been managed using forums. The security team has thus split security-related postings among three forums under http://drupal.org/forum/1188.
All past and new advisories and announcements and their feeds can be viewed (via tabs) on http://drupal.org/security.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Front page news:
[ANNOUNCE] libapreq2-2.12 Released
libapreq2-2.12 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.12 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.12 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.12.tar.gz
size: 859412 bytes
md5: 76e2acde0d82246dea6f2565f3746eec
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.7.1 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
========================================================================
Changes with libapreq2-2.12 (released March 13, 2009)
- C API [joes]
Make the cookie parser a little more flexible.
- Interactive CGI module [issac]
Allow cgi module to interactively prompt for parameters and cookies when
running a script from the command line and not from a CGI interface
- Perl Glue [joes]
Fix the linking of the perl modules to libapreq2 and libapr
on Solaris.
- Perl Glue [joes]
Fix install-time linking issue of the .so modules.
Previously they would remain linked against the src
library path, not the install path.
- C API [joes]
Add optional interface for apreq_handle_apache2().
- C API [joes]
Clean up buggy apreq_hook_find_param().
- Perl Glue Build [Philip M. Gollucci]
config.status format changed format yet again in autoconf 2.62+.
- License [Mladen Turk]
Add libapreq.rc and generate libapreq.res
- Build [Mladen Turk]
Add APREQ_DECLARE_EXPORT/APREQ_DECLARE_STATIC
in the same way as APR declares so that dllexport/dllimport
get correctly handled.
- Build [Randy Kobes]
Add appropriate manifest command to embed manifest files on Win32
when using VC8
- C API [Andy Grundman, joes]
Add missing bytes_read initializer to apreq_handle_custom().
- C API [suggested by Vinay Y S, tested by Steve Hay and Peter Walsham]
For Win32, remove the
flag |= APR_FILE_NOCLEANUP | APR_SHARELOCK;
in apreq_file_cleanup, to avoid problems with file uploads.
- C API [joes]
Fix leak associated to calling apreq_brigade_fwrite() on an upload
brigade.
- Build [Philip M. Gollucci]
SunOS (Solaris)
Users must use gmake not make for building.
- Build [Philip M. Gollucci]
SunOS (Solaris)
Code around bug in libtool (at least in 1.5.18, 1.5.20, 1.5.22)
causing mod_apreq2 to be built instead of mod_apreq2.so
- C API [Philip M. Gollucci]
Fix comparison signed vs unsigned comparison
in apreq_fwritev() on SunOS/gcc where iovec.iov_len is a long.
- Build [Philip M. Gollucci]
SunOS (Solaris)
fix duplicate link error to libexpat.so -- by using the one from httpd
exclusively now.
- Build [Philip M. Gollucci]
code around |#_!!_#| autoconf 2.60 bug.
Welcome to the Norton Users Community Forum!
The Norton Users Community Forum is officially out of Beta! This has been a great project, and we appreciate your help in establishing this community. Many thanks to everyone who has joined the Norton Forums since our launch in April 2008.
We kicked off this project with the intent of creating a place where Norton customers, employees and other people interested in dialogue could meet online to discuss our products and related topics; from system tune-up to malware removal to suggestions for future product features. With your feedback, we have been able to grow these forums into an excellent resource for such a dialogue, and we continue to see the potential for growth in the forums. We still plan to build out boards for the rest of the product line and in more languages than just English.
Recently we have added some new features — a board specifically for Norton Macintosh products, the “image upload” and storage feature for all users, and some updated icons to make Symantec employees stand out more.
So once again, thank you for swinging by our new neighborhood, and helping to make it your neighborhood as well.