Operating System:

[OSX]

Published:

23 October 2013

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1509
                              OS X Server 3.0
                              23 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OS X Server
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-5143 CVE-2013-1857 CVE-2013-1856
                   CVE-2013-1855 CVE-2013-1854 CVE-2013-0269
                   CVE-2012-3547  

Reference:         ASB-2013.0042
                   ASB-2013.0028
                   ESB-2013.1181
                   ESB-2013.0789
                   ESB-2013.0468
                   ESB-2013.0452
                   ESB-2012.0941
                   ESB-2012.0864

Original Bulletin: 
   http://support.apple.com/kb/HT1222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2013-10-22-5 OS X Server 3.0

OS X Server 3.0 is now available and addresses
the following:

Profile Manager
Available for:  OS X Mavericks v10.9 or later
Impact:  A remote attacker may be able to cause a denial of service
Description:  The JSON Ruby Gem permanently allocated memory when
parsing certain constructs in its input. An attacker could exploit
this to use all available memory leading to a denial of service. This
issue was addressed through additional validation of JSON data.
CVE-ID
CVE-2013-0269

Profile Manager
Available for:  OS X Mountain Lion v10.9 or later
Impact:  Multiple issues in Ruby on Rails
Description:  Multiple issues existed in Ruby on Rails, the most
serious of which may lead to cross site scripting. These issues were
addressed by updating the Rails implementation used by Profile
Manager to version 2.3.18.
CVE-ID
CVE-2013-1854
CVE-2013-1855
CVE-2013-1856
CVE-2013-1857

FreeRADIUS
Available for:  OS X Mavericks v10.9 or later
Impact:  A remote attacker may be able to cause a denial of service
or arbitrary code execution
Description:  A buffer overflow existed in FreeRADIUS when parsing
the 'not after' timestamp in a client certificate, when using TLS-
based EAP methods. This issue was addressed by updating FreeRADIUS to
version 2.2.0.
CVE-ID
CVE-2012-3547

Server App
Available for:  OS X Mavericks v10.9 or later
Impact:  Server may use a fallback certificate during authentication
Description:  A logic issue existed whereby the RADIUS service could
choose an incorrect certificate from the list of configured
certificates. The issue was addressed by using the same certificate
as other services.
CVE-ID
CVE-2013-5143 : Arek Dreyer of Dreyer Network Consultants, Inc.


OS X Server 3.0 may be obtained from Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJSZvgDAAoJEPefwLHPlZEw5n0P/RSy2GvJ0DS4hV1UjjKw0pjQ
WQTTRm5mJDiCYOFiLVKULS2a8+LWtSb5stTV5bYr4U3N9STqwcH5So8ZAN+XOkIg
qPYebAYU37jtb/mjch6Eh7r1Wr1/EpJ5dp1mcqJLjRmjKi/YxLPm8HDGCWzMyjHY
WExYyCuHzgi8fsqpSFeqJaNvoiwoHk7KLRrUDGQNnj/tj2ZMZ8ik3qw8GpgwNAFK
q6P9iHTjfcreBUs3Z74XJRQciqZzSBL3Gwzk1g4mOIZ3gyauQStGPmU+nVAiKFRm
cMG4N8+33kml9cdZUvncGrzuvVLvA3sks0eQ9n6zvibiey+1Xrh0ZZaEaVPGfpWL
S7H7oBx7cNcmH945LnPKRzxEmlvDgNtlXAJvQyBM88dW3QS1Dy6H9yDFfzmra8Nl
DaHNTbD8x1RRdYgg+L7ca3AUbEqhTPmNgZWlgEPCDaVorSXElOndUKli6bQq0klg
uNglegmJ4VIlWSmRQOOKZi4v3qcYp9vb2Xf38JlsNBdbEFtXVJkeyixT33A2Lvlm
EC1wr/Rg5Rj4QkQDFw+zLJsFH27GwPV0i/GaNsgof243hONiC81oQI1WPd20u66A
Zn5XBZn6cO0zLL/vaMFuNaBJIxtW/YdcZPRurWele8kDZgPku9yqF/LI/oYowINu
Bk9+Uo1Yl/u27TRmTnDv
=w5wB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUmdJchLndAQH1ShLAQKPfA//YAk1ntfDCrzXE6G7kfG/FM4AxONz0rHv
o1zeAfAbrmmcXnmAgih4SHaDvQTtohDkf2L8t7i78BHAR/VZ/4lsN6PwfCdwrV/z
58RcBzcgfhgnuD5ET8yENGmk7o0PipLEYOevQ6dfZafWydMR64ulfks3TogILtiV
FZqMA66W9J+SxshUePcG4PIRwXNQMvab1TZUxiFggE6szK88sEFaYTxw3Jswvsma
NkOL8ipes7VgoWWPA/TdVRhM6rnZhqVaiiVPSYC89ato0FuWpkb3ZpqBwNJQZZh1
4UzlDZn32xkhPs87/cYTivIe1eXzncE8jpK8ni/Z5OXGVnrLUlIQJKH2iFaRii6R
5LUVAJJV85euIq2YG0S6hhAkWhckoyYa/qhDGty0rWzKe2DY318wJTdEPf20jL9i
Q8ltafJ1m6/Z2lqqrygvrGzE2qI9OQLBoUtx/kKnWg/KhDEhVYwP9CuVVUuty3SZ
THiEFJ/gOphtGGr0YpMdR0xK1M57otW60+mrnrVL75AuDsXxuqE3M0L1RfdIJehB
rBHug8M//xNWgB+pk/M6z4wzyh2zPExSSVTsERrvjDvqUNj0BjdHrk/or3Eeh6mM
NJcKDTUl9UzkJOF/zl66A+DK9hLu32wMFBmPNVB3bsaqhObY5sPyePWLVgexCtxP
1J2fe/kzAI4=
=Jrfu
-----END PGP SIGNATURE-----