Apple's OS X version 10.5.5 was released on 15 September. It's a 321 MB download - 601 MB as the combo update. Apple recommend it for all Leopard users.
Although some fixes [Bind, ClamAV, OpenSSH, Ruby] are propagated through the 'open source community' others are for code that's Apple's own.
10.5.5 updates or adds over 5,000 files.
Module | CVE | Description |
ATS | CVE-2008-2305 | Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. |
BIND | -- | Performance issues with previous version 9.4.2-P1. |
ClamAV | CVE-2008-0314, CVE-2008-1100, CVE-2008-1387, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215 | Multiple vulnerabilities. |
Directory Services | CVE-2008-2329 | By supplying wildcard characters in the user name field a list of user names from Active Directory may be displayed. |
Directory Services II | CVE-2008-2330 | A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig. |
Finder | CVE-2008-2331 | Finder does not update displayed permissions under some circumstances in a Get Info window. After clicking the lock button changes to the file system Sharing & Permissions will take effect but will not be displayed. |
Finder II | CVE-2008-3613 | An attacker with access to the local network can cause a denial of service. |
ImageIO | CVE-2008-2327 | Multiple uninitialised memory access issues in libTIFF handling of LZW-encoded TIFF images. |
ImageIO II | CVE-2008-2332 | Memory corruption issue in ImageIO handling of TIFF images. |
ImageIO III | CVE-2008-3608 | Memory corruption issue in ImageIO handling of ICC profiles in JPEG images. |
ImageIO IV | CVE-2008-1382 | Precautionary measure for libpng. |
Kernel | CVE-2008-3609 | Cached credentials are not always flushed when a vnode is recycled. |
Libresolv | CVE-2008-1447 | Part of the Kaminsky vulnerability. |
Login Window I | CVE-2008-3610 | Race condition with guest account or other account with no password enabled. |
Login Window II | CVE-2008-3611 | A user with access to the login screen may be able to change a password. |
mDNSResponder | CVE-2008-1447 | Part of the Kaminsky vulnerability. |
OpenSSH | CVE-2008-1483, CVE-2008-1657 | Multiple vulnerabilities including local X11 session control. |
QuickDraw Manager | CVE-2008-3614 | A maliciously crafted PICT image can lead to an unexpected application termination or arbitrary code execution. |
Ruby | CVE-2008-2376 | Integer overflow in rb_ary_fill(). |
SearchKit | CVE-2008-3616 | Integer overflow in several functions. |
System Configuration | CVE-2008-2312 | Network Preferences stores PPP passwords unencrypted in a world readable file accessible to any local user. |
System Preferences | CVE-2008-3617 | VNC users can be misled into believing their passwords are stronger than they are. |
System Preferences II | CVE-2008-3618 | Authenticated users can have unexpected remote access to files and directories. |
Time Machine | CVE-2008-3619 | Log files saved to the backup drive as world-readable. |
VideoConference | CVE-2008-3621 | Memory corruption in handling of H.264 encoded media. |
Wiki Server | CVE-2008-3622 | A remote attacker can cause persistent JavaScript injection. |
'Changed' files.
'Modified' files.
It's always good to see open source fixes propagated and in-house blunders corrected. But deep rooted issues exist within 10.5 - a system that's almost a year old. These are issues that were not found in previous versions of OS X. Apple need to give these issues a high priority.