Apple recently released its December security update. The 12.7MB download
consists of several updated components including Apache, AppKit, HIToolbox,
Kerberos, Postfix, PSNormalizer, Safari, and Terminal. From MacCentral:
“Several Apache modules were updated improving security for both client and
servers version of Mac OS X. According to Apple, Apache mod_digest_apple
authentication is vulnerable to replay attacks in Mac OS X Server.
Corrections for the replay problem were made in versions 1.3.31 and 1.3.32
of Apache and have been included in this update.
“For Mac OS X client and server, multiple vulnerabilities in Apache and
mod_ssl including local privilege escalation, remote denial of service and
in some modified configurations execution of arbitrary code. Apache and
mod_ssl have been updated to fix this issue.
“Other issues found with Apache and corrected with this security update
include Apache configurations did not fully block access to ‘.DS_Store’
files or those starting with ‘.ht.’ File data and resource fork content can
be retrieved via HTTP bypassing normal Apache file handlers; and modified
Apache 2 configurations could permit a privilege escalation for local users
and remote denial of service.”