Apple Releases Mac OS X v10.6.5 and Security Update 2010-007

Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple vulnerabilities affecting a number of packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, conduct cross-site scripting attacks, cause a denial-of-service condition, or bypass security restrictions.

Systems using PGP WDE should not be updated. Public reports indicate that a compatibility issue exists between PGP WDE and the Mac OS X v10.6.5 update. Applying the Mac OS X v10.6.5 update to a system running PGP WDE will prevent the system from successfully booting. Additional information about this issue can be found in PGP knowledgebase article 2288.

Users and administrators are encouraged to review Apple article HT4435 and apply any necessary updates. Users and administrators running PGP WDE should delay updating to Mac OS X v10.6.5 until a solution has been identified. PGP WDE users who cannot postpone updating to Mac OS X v10.6.5, or who have previously updated to Mac OS X v10.6.5 and are unable to boot their systems, should refer to PGP knowledgebase article 2288 for instructions on safely applying this update or recovering a system that fails to boot because this update was applied.

UPDATE: Apple has released Mac OS X Server v10.6.5 build 10H575 to address an issue with the Dovecot package in the initial release of Mac OS X Server v10.6.5. Mac OS X Server users and administrators are encouraged to review Apple article HT4452 and update to Mac OS X Server v10.6.5 build 10H575.

US-CERT will provide additional information as it becomes available.