| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jul 2012 16:49:40 -0700 From: Apple Product Security <product-security-noreply@...ts.apple.com> To: security-announce@...ts.apple.com Subject: APPLE-SA-2012-07-25-2 Xcode 4.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-07-25-2 Xcode 4.4 Xcode 4.4 is now available and addresses the following: neon Available for: OS X Lion v10.7.4 and later Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. The neon library (used by Subversion) disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling the countermeasure. CVE-ID CVE-2011-3389 Xcode Available for: OS X Lion v10.7.4 and later Impact: Helper tools built with Xcode allow any App Store application to read their keychain entries Description: All signed programs contain a designated requirement (DR) which states, from the perspective of the developer of the program, what constraints a program needs to satisfy in order to be considered an instance of this program. When a Developer ID was used with Xcode to sign a product that did not have a bundle identifier, such as a command-line tool or an embedded helper, the generated DR for the product did not include the developer's ID in the part of the DR that applies to apps signed by the App Store. As a result, any App Store app may have accessed keychain items created by the product. This is addressed by generating a DR with improved checks. Affected products need to be re-signed with this version of Xcode to include the improved DR. CVE-ID CVE-2012-3698 Xcode 4.4 may be obtained from the Downloads section of the Apple Developer Connection Member site: http://developer.apple.com/ Login is required, and membership is free. Xcode 4.4 is also available from the App Store. It is free to anyone with OS X 10.7.x Lion and later. The download file is named: "xcode446938108a.dmg" Its SHA-1 digest is: d04393543564f85c2f4d82e507d596d3070e9aba Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQDy5fAAoJEPefwLHPlZEwWasP/iuE4F9PkoV01YyZlBeoQ/qE zn62KshgNUkVq0TPe/leKG0UXWxYsPQQy1+KC9o7ULnGZWrQLexO7ZySz3eImbIW VdPXslMzEbk3YiRi/syeo16IwZheMqatKTS47NTG5xREg17vos889xbqxML4ijNN 4IysAFqewbG1qdvu35RkO4uhxO/+6pLiXjkQx/z21ml8S3ZZNnPxCE/9sGWqIJ7R pO/9+hIecX05wtSUCkqfARZxObSDs0VTQZUak+8fKAF8k5aNY8GdnMrxNBCX9vkU hHgLTQ4lXaqSv2UEhbkjaZuLHHNFkNINf1pbABDWASiATP0wSLVFYM3KabMqid8I WS4b3aplqi5GqOHqRWOTtbSTsPJC73DF1PrHlvPZm7WYQmIrF6DPIlmIfK058Fqp QRpz3H1cZwFf2B/oS4VGwtqjj606lRn7En3psMRlCyKSTdUYPd5dzCIyg8CNlpuy 9AAKEU6fhY2JCEm+2LtqdBZI+WvCET50hD9ZEzkq/2m/sazASJ5W9VtH1JzFHm9N RvE4NS6k/u6BLU2zsUiqJ/cyVGMV7RF3gIEi+NXAShFNHfavDPgoTN2MPkeT3V0C sa6X/O3dn4F9PFJZvqKyHKeBRI0lV3PSgKP/xC/K+cD/YraFFFvUn7XoVZ2A8uPW bYcdpG4AJaNdEGZY71xq =OWIG -----END PGP SIGNATURE-----
Powered by blists - more mailing lists