Apple's OS X version 10.5.5 was released on 15 September. It's a 321 MB download - 601 MB as the combo update. Apple recommend it for all Leopard users.
Although some fixes [Bind, ClamAV, OpenSSH, Ruby] are propagated through the 'open source community' others are for code that's Apple's own.
10.5.5 updates or adds over 5,000 files.
|ATS||CVE-2008-2305||Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.|
|BIND||--||Performance issues with previous version 9.4.2-P1.|
|ClamAV||CVE-2008-0314, CVE-2008-1100, CVE-2008-1387,|
CVE-2008-1833, CVE-2008-1835, CVE-2008-1836,
CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
|Directory Services||CVE-2008-2329||By supplying wildcard characters in the user name field a list of user names from Active Directory may be displayed.|
|Directory Services II||CVE-2008-2330||A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.|
|Finder||CVE-2008-2331||Finder does not update displayed permissions under some circumstances in a Get Info window. After clicking the lock button changes to the file system Sharing & Permissions will take effect but will not be displayed.|
|Finder II||CVE-2008-3613||An attacker with access to the local network can cause a denial of service.|
|ImageIO||CVE-2008-2327||Multiple uninitialised memory access issues in libTIFF handling of LZW-encoded TIFF images.|
|ImageIO II||CVE-2008-2332||Memory corruption issue in ImageIO handling of TIFF images.|
|ImageIO III||CVE-2008-3608||Memory corruption issue in ImageIO handling of ICC profiles in JPEG images.|
|ImageIO IV||CVE-2008-1382||Precautionary measure for libpng.|
|Kernel||CVE-2008-3609||Cached credentials are not always flushed when a vnode is recycled.|
|Libresolv||CVE-2008-1447||Part of the Kaminsky vulnerability.|
|Login Window I||CVE-2008-3610||Race condition with guest account or other account with no password enabled.|
|Login Window II||CVE-2008-3611||A user with access to the login screen may be able to change a password.|
|mDNSResponder||CVE-2008-1447||Part of the Kaminsky vulnerability.|
|OpenSSH||CVE-2008-1483, CVE-2008-1657||Multiple vulnerabilities including local X11 session control.|
|QuickDraw Manager||CVE-2008-3614||A maliciously crafted PICT image can lead to an unexpected application termination or arbitrary code execution.|
|Ruby||CVE-2008-2376||Integer overflow in rb_ary_fill().|
|SearchKit||CVE-2008-3616||Integer overflow in several functions.|
|System Configuration||CVE-2008-2312||Network Preferences stores PPP passwords unencrypted in a world readable file accessible to any local user. |
|System Preferences||CVE-2008-3617||VNC users can be misled into believing their passwords are stronger than they are.|
|System Preferences II||CVE-2008-3618||Authenticated users can have unexpected remote access to files and directories.|
|Time Machine||CVE-2008-3619||Log files saved to the backup drive as world-readable.|
|VideoConference||CVE-2008-3621||Memory corruption in handling of H.264 encoded media.|
It's always good to see open source fixes propagated and in-house blunders corrected. But deep rooted issues exist within 10.5 - a system that's almost a year old. These are issues that were not found in previous versions of OS X. Apple need to give these issues a high priority.