• OpenSSLzlib: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
• zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.

Security Update 2003-11-19 for Jaguar 10.2.8 provides the following updated components:

• gm4: Fixes CAN-2001-1411. A format string vulnerability in the gm4 utility. No setuid root programs relied on gm4 and this fix is a preventive measure against a possible future exploit.
• groff: Fixes VU#399883 where the groff component pic contained a format-string vulnerability.
• Mail w/CRAM-MD5 authentication: Fixes CAN-2003-0881. The Mac OS X Mail application will no longer fall back to plain text login when an account is configured to use MD5 Challenge Response.
• OpenSSL: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
• Personal File Sharing: Fixes CAN-2003-0878. When Personal File Sharing is enabled, the slpd daemon can no longer create a root-owned file in the /tmp directory to gain elevated privileges.
• QuickTime for Java: Fixes CAN-2003-0871. A potential vulnerability that could allow unauthorized access to a system.
• zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.

It appears as though these two updates fix the issues that generated various security advisories in late October and early November.