Home / mailingsPDF  

APPLE-SA-2009-03-11 iTunes 8.1

Posted on 11 March 2009
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-03-11 iTunes 8.1

iTunes 8.1 is now available and addresses the following:

iTunes
CVE-ID: CVE-2009-0016
Available for: Windows XP or Vista
Impact: Sending a maliciously crafted DAAP message may lead to a
denial of service
Description: An infinite loop exists in the handling of iTunes
Digital Audio Access Protocol (DAAP) messages. Sending a message
containing a maliciously crafted Content-Length parameter in the DAAP
header may lead to a denial of service. This update addresses the
issue by performing additional validation of DAAP messages. This
issue does not affect Mac OS X systems. Credit to Xiaopeng Zhang,
Zhenhua Liu, and Junfeng Jia of Fortinet's FortiGuard Global Security
Research Team for reporting this issue.

iTunes
CVE-ID: CVE-2009-0143
Available for: Mac OS X v10.4.10 or later,
Mac OS X Server v10.4.10 or later, Windows XP or Vista
Impact: Subscribing to a malicious podcast may lead to the
disclosure of iTunes username and password
Description: A design issue exists in the iTunes podcast feature. A
subscription to a malicious podcast may cause an authentication
dialog to be presented to the user. This dialog may entice the user
to send iTunes credentials to the podcast server. This update
addresses the issue by clarifying the origin of the authentication
request in the dialog. Credit to Simon Bellwood for reporting this
issue.

iTunes 8.1 may be obtained from:
http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named: "iTunes8.1.dmg"
Its SHA-1 digest is: 6c9ee64741158c9f45417b965b38b01ea3b51af1

For Windows XP / Vista:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 562bcc78760c4055f84d53730089a62dfa9c3fcf

For Windows XP / Vista 64 Bit:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: fb07309a0196b424ed434be1143f9e8bcd978d62

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP