-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2013-05-16-1 iTunes 11.0.3

iTunes 11.0.3 is now available and addresses the following:

iTunes
Available for:  Mac OS X v10.6.8 or later, Windows 7, Vista,
XP SP2 or later
Impact:  An attacker in a privileged network position may manipulate
HTTPS server certificates, leading to the disclosure of sensitive
information
Description:  A certificate validation issue existed in iTunes. In
certain contexts, an active network attacker could present untrusted
certificates to iTunes and they would be accepted without warning.
This issue was resolved by improved certificate validation.
CVE-ID
CVE-2013-1014 : Christopher of ThinkSECURE Pte Ltd, Christopher
Hickstein of University of Minnesota

iTunes
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code executionn
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2012-2824 : miaubiz
CVE-2012-2857 : Arthur Gerkis
CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working
with HP TippingPoint's Zero Day Initiative
CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest
CVE-2013-0879 : Atte Kettunen of OUSPG
CVE-2013-0912 : Nils and Jon from MWR Labs working with HP
TippingPoint's Zero Day Initiative
CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0951 : Apple
CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the
Google Chrome Security Team
CVE-2013-0955 : Apple
CVE-2013-0956 : Apple Product Security
CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0960 : Apple
CVE-2013-0961 : wushi of team509 working with iDefense VCP
CVE-2013-0991 : Jay Civelli of the Chromium development community
CVE-2013-0992 : Google Chrome Security Team (Martin Barbella)
CVE-2013-0993 : Google Chrome Security Team (Inferno)
CVE-2013-0994 : David German of Google
CVE-2013-0995 : Google Chrome Security Team (Inferno)
CVE-2013-0996 : Google Chrome Security Team (Inferno)
CVE-2013-0997 : Vitaliy Toropov working with HP TippingPoint's Zero
Day Initiative
CVE-2013-0998 : pa_kt working with HP TippingPoint's Zero Day
Initiative
CVE-2013-0999 : pa_kt working with HP TippingPoint's Zero Day
Initiative
CVE-2013-1000 : Fermin J. Serna of the Google Security Team
CVE-2013-1001 : Ryan Humenick
CVE-2013-1002 : Sergey Glazunov
CVE-2013-1003 : Google Chrome Security Team (Inferno)
CVE-2013-1004 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1005 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1006 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1007 : Google Chrome Security Team (Inferno)
CVE-2013-1008 : Sergey Glazunov
CVE-2013-1010 : miaubiz
CVE-2013-1011 : Google Chrome Security Team (Inferno)


iTunes 11.0.3 may be obtained from:
http://www.apple.com/itunes/download/

For OS X:
The download file is named: "iTunes11.0.3.dmg"
Its SHA-1 digest is: 83f4afc5d3b5698c811c87c27b975824116bbf1d

For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 1e95101b584762b3c46ab597c115cd86bfd45d64

For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: 6669044bd50c1f753c8412a02556a70be09fd9f8

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJRlQ9KAAoJEPefwLHPlZEwbhcP+QHZGEAVCTw4+Z5k67ninaCS
BV11pa8iySzuv0XZ9Se+CsI37IT1P3bVqEw/A+1i989Q00kaGCBNyt9m65krxNVX
EhFLB8IxCfZqpM4C8ENhOkrY05iOfLx/DW7ioYM9TGTckpb6ayKkUBHkqn+bY3Hq
b9rVeulzPfNsm1QtNp9eRGAL5Kq8vgEAlrMebUF1vOQ8CvGoGNplk0xRBm3Wg0im
gCal7A/fwp9OQUnmlUMeASgbX+Q94ytM6RbPVXwiL1ghTK4bO2LEW1PXdp58cWhv
kNtqO8eOokMl6wwLI6T69GmyfvoL7p5FcDRvuLCtzf2R9j6JgkXYMamP2Mbpr4d3
xlNS2slJQfyRVELnJOv8bxl7Fi2EpBQtUe4WRk7StNWf34kwAb7lWUd1amfIWNcp
lZSojjpShrA7zz82FZxt3q79Tq7Y398FH7ObcJVCWdbCI89TsoBujkP/P6lcp6mz
TnRVLZq6xWnWz1SUsvM5qBfb1LjUREvKDc1anWVaiqW2BJEF0Mc87hkyL5q6YrIv
VyUFBT5cJIqAKUD7MzsUjDMIsyXALVyj9zh1lJ0+c8QdCjPetk8tUg6TCun0nw95
nkFYZJcHDZVLzn8rC/GoE2x8CwhFwN8ATzeS/zV9vxTJ1sHBN+ewkez8i8YTIj+y
9M/53y+vsPwrcmmXCS3o
=eN5K
-----END PGP SIGNATURE-----