APPLE-SA-2014-05-15-2 iTunes 11.2

APPLE-SA-2014-05-15-2 iTunes 11.2

iTunes 11.2 is now available and addresses the following:

iTunes
Available for:  Windows 8, Windows 7, Vista, XP SP3 or later
Impact:  An attacker in a privileged network position can obtain
iTunes credentials
Description:  Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296



iTunes 11.2 may be obtained from:
http://www.apple.com/itunes/download/

For Windows XP / Vista / Windows 7 / Windows 8:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 0e96aec6ba9959fd288e662b4fcbe58fd2bb89eb

For 64-bit Windows XP / Vista / Windows 7 / Windows 8:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: eb7da1d648c41a5b1e3ccc00ca26dcaa1f6d04d5

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/