-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1879
                             OS X Server v4.0
                              17 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          OS X Server
Publisher:        Apple
Operating System: OS X
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                  Access Privileged Data          -- Existing Account            
                  Denial of Service               -- Remote/Unauthenticated      
                  Cross-site Scripting            -- Remote with User Interaction
                  Unauthorised Access             -- Remote/Unauthenticated      
                  Access Confidential Data        -- Remote with User Interaction
                  Reduced Security                -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-4447 CVE-2014-4446 CVE-2014-4424
                  CVE-2014-4406 CVE-2014-3566 CVE-2014-0591
                  CVE-2014-0066 CVE-2014-0065 CVE-2014-0064
                  CVE-2014-0063 CVE-2014-0062 CVE-2014-0061
                  CVE-2014-0060 CVE-2013-6393 CVE-2013-4854
                  CVE-2013-4164 CVE-2013-3919 

Reference:        ASB-2014.0122
                  ASB-2013.0130
                  ESB-2014.1858
                  ESB-2014.1619
                  ESB-2014.0220
                  ESB-2014.0130.2
                  ESB-2013.1019
                  ESB-2013.0790

Comment: This bulletin contains three (3) Apple security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-10-16-3 OS X Server v4.0

OS X Server v4.0 is now available and addresses the following:

BIND
Available for:  OS X Yosemite v10.10 or later
Impact:  Multiple vulnerabilities in BIND, the most serious of which
may lead to a denial of service
Description:  Multiple vulnerabilities existed in BIND. These issues
were addressed by updating BIND to version 9.9.2-P2
CVE-ID
CVE-2013-3919
CVE-2013-4854
CVE-2014-0591

CoreCollaboration
Available for:  OS X Yosemite v10.10 or later
Impact:  A remote attacker may be able to execute arbitrary SQL
queries
Description:  A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad

CoreCollaboration
Available for:  OS X Yosemite v10.10 or later
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC

CoreCollaboration
Available for:  OS X Yosemite v10.10 or later
Impact:  Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description:  Multiple vulnerabilities existed in PostgreSQL. These
issues were addressed by updating PostgreSQL to version 9.2.7.
CVE-ID
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066

Mail Service
Available for:  OS X Yosemite v10.10 or later
Impact:  Group SACL changes for Mail may not be respected until after
a restart of the Mail service
Description:  SACL settings for Mail were cached and changes to the
SACLs were not respected until after a restart of the Mail service.
This issue was addressed by resetting the cache upon changes to the
SACLs.
CVE-ID
CVE-2014-4446 : Craig Courtney

Profile Manager
Available for:  OS X Yosemite v10.10 or later
Impact:  Multiple vulnerabilities in LibYAML, the most serious of
which may lead to arbitrary code execution
Description:  Multiple vulnerabilities existed in LibYAML. These
issues were addressed by switching from YAML to JSON as Profile
Manager's internal serialization format.
CVE-ID
CVE-2013-4164
CVE-2013-6393

Profile Manager
Available for:  OS X Yosemite v10.10 or later
Impact:  A local user may obtain passwords after setting up or
editing profiles in Profile Manager
Description:  In certain circumstances, setting up or editing
profiles in Profile Manager may have logged passwords to a file. This
issue was addressed through improved handling of credentials.
CVE-ID
CVE-2014-4447 : Mayo Jordanov

Server
Available for:  OS X Yosemite v10.10 or later
Impact:  An attacker may be able to decrypt data protected by SSL
Description:  There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team

ServerRuby
Available for:  OS X Yosemite v10.10 or later
Impact:  Running a Ruby script that handles untrusted YAML tags may
lead to an unexpected application termination or arbitrary code
execution
Description:  An integer overflow issue existed in LibYAML's handling
of YAML tags. This issue was addressed through additional validation
of YAML tags. This issue does not affect systems prior to OS X
Mavericks.
CVE-ID
CVE-2013-6393


OS X Server v4.0 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUQCLKAAoJEBcWfLTuOo7tqr0P/1fGVeD8xAAgMRpH/hYYkKpj
CGKAUBfTXM9clAhUHP1Es+T1qG67JX9CNrrl5yKMQCupojgNIkO1D0Pj5QlLZzkL
HR6AgI8eYeykiw8VRFI8DC7f3q/A1aRrijj8bPQ6BoPUq28Vya/GjEAMxV1l21l1
qLyNiDH8X8DC/CWyxOXVMD4yqIpzCOPEIAvgV1aB0z1UEdw7fLLBCEIAkNR3tL9M
5OlRT8X4dzpx3YpTvlB9s7zIAPtLgTjcVpPbkT2yJ9OZsewml2aFM7NWDYpYhIRg
z7bOMmKZep15a+XeXH7cdqXMfHW/XGdkYF/4Z85wHG44Kebaikq+K0XoTxjHlqXi
9rtNdcwh+p4DxTQNO0fK7WbfAo7FiF6aonY9D9hp47jbhB9KODVeOpqo6B7sOudq
tBAAS1pBbrsULUWRCZRaN3LlPigtInqIIPuLGVQx4ApUo1guxXb0A88ZU3yiR+Bl
RJHAEoevKjqhLiZDt1V8sSk6sPAh7p02deP5RDIwNJfapP+RrXoJ6knexRD44kNb
MwVD6a2EcOoRFgwcjvgFZ1etpoHT/VAs7Ql/GjWN5snDLsZ/vlGtSPn1i3kjkxBZ
oYDmJfC91RoC6exW7img3H9csN0sgtVGJRLrf6cdg41EjVjQaUUVQfBn/DVVyMb8
fIWnhQEvESJVqfrk3Q3X
=LbVb
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-10-16-4 OS X Server v3.2.2

OS X Server v3.2.2 is now available and addresses the following:

Server
Available for:  OS X Mavericks v10.9.5 or later
Impact:  An attacker may be able to decrypt data protected by SSL
Description:  There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team


OS X Server v3.2.2 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUQCJGAAoJEBcWfLTuOo7tyI0P/imLx5IYlrtwP9X6sCUaRNfa
cjjI5T5ooRX1g83wc3sBGJnUaY5TYEpL8+aVdW0hL/Q8l+DCbvbTHDK1hcxNoPX7
NsXgLFjKd56/mupWbx5beAjOA8Xey6F4tubYFNSppUEk0X9DKyVVmHNxPUnf/mTG
F0opjTmLX9hJVsVvGGncBd24HxnkZJXvjd5Dfi+r/CBv1tFaL3ermZlnrba1cCaP
mtZ06TAONykDYXN3GypSHZKedUIsMyQuuz+GDR2CC8Gw3P4sbbCfNkR2HNGFXPSt
EG58UIdNqbbfDoTg3gR/u8e7XUrqQzSP/fq2lG1qraFpirodb67UKueVvOS1pqZQ
HXJzLV5zSOx1GRLRp2hxQ7htILQGPE6alBnuqTKpe3cDxJ4h5HbZBdDIQNlLK2/y
YxcCwt9AdmHr2BP2AmAE6X3jxTVbfCWxT+1ddTj+FX29DYRYSJHE4XTXAus6m4NI
0uIVGv3OnmLA4r+7IGECQlMmPec0hkkWJV3otwIT83In1WMNlz85Q4Ypjo4jYfWW
lEvnN15Pn8opiyHY62vPCufuroPklK1K6pIMIyFFJBGA2GVk1jqF9gNgIYqYwhMC
meaHWPu1wD82eRUBmTVHiNfKtqLx8MALBfp8uaklrfpnafrqxxuhS4ZjCEA0YU14
NqlhvAS6z144pQkwp1dt
=UMhr
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-10-16-5 OS X Server v2.2.5

OS X Server v2.2.5 is now available and addresses the following:

Server
Available for:  OS X Mountain Lion v10.8.5
Impact:  An attacker may be able to decrypt data protected by SSL
Description:  There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team


OS X Server v2.2.5 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIbBAEBAgAGBQJUQCKNAAoJEBcWfLTuOo7tl5UP90cGp+wElIUvSYZIlSHZdaPZ
YxKFiIjLj4eGUF4b79vQweQtwQiqMUKh0F9qZZ7QlOimNhBrhZvwjRx/aD8LePhS
KhNRH8I2YPK32vws4ufojFZvjuL+Zs2RwQ/1nPgf/STJ5wHQLQolfkh+HKaED+cz
Yg36da7tZ0uEcWvUbWEnq0Ewz+DUF4UffhVLIbmuC0HdmGMEuGoFdhU0+zsTZmcH
YhFfQwsZX/xbTwyMWH0k1hhS1w9QyoNnhC9CbQBmjv6CYuW/6MuksONesfL10oVL
u9fxSzuGchv/iHZQ60UE5d+H7e1lWvl/Baw065w5Ie2bx/YEevvkda2pA/LnQSea
rbFlykfOuBLR47Eg7MalBSJxkO87en1ASyz9oLKTErYm/AjYI22Xq/e2kmst4UW4
24t7iNdNJzp4SQyvS2kUW9T4P2PGV16zkv5fUELYK/uFejaQ8LoF3t+LpMiluibf
nKYJbdsF/14xDygG5fL5KBOYL/cPFXlradykKgZnWhkflJYKzHp05u2ILI+Stv+V
BaniDoMTn53OBT875/xTKmv3igbkwU5YIrJLsNZRCnFchlP0bAWixjiqSqcs6f6j
io+/R05z0IPi6FE05cCi8CH2wMunrwgh3HhSCTiXl12vt3DXSBrmMuDyRLqGxEC4
93VoWCgAlgjlfdjjI40=
=tAhs
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVEB2MhLndAQH1ShLAQIY8w/+OnQkqtz0r+XD6OyPhP4vqHIBuuULMNhD
md3RPaSHdOFI8pExLUl6IVCH//1NkOGQZ8PoZebroEPSWmCtiW9obrM1IrAWKi+1
h6BveVJxwnIDcGTvyDsKHWF1MgeT8F/CFyzx2NWPC7OnEiu9p6hpM9rNJGLjCZBw
S3qFwkJ46mczY5LH5nz92rvt6/5bFAJW4xvwR89U7y2NMk2fSt4zBqbCVBTaGVzO
OT6JHfQ2NSqcZi7+LUVjVajvWj8XIQfCLDEnxO5Tl4UqwletcSZqPKQfCn/6Sa8X
Qq5afPDMSadY127rx+Lav6Ensvg8YbjrykcTiwGvmO6/DC6GlJjq+JxzUeY/6EP0
POUobTs/aRF6ofw32RwlExlB3b5UYfPrrSPLzi1XVwUYjrYcdV9YgP+bPrAvwfw4
iJwI0aIRyjMp9fMC4AkYt83vS0lER+vnK9WWPPXtPrHJrPzrpCf6mdXI1XKtT0H4
bk4L2E1kJdZE3nBTleA9S3/rhdABDzy0fCaQtJC6g3mARnqXZELhm1Gt8iUFOd63
bsFPwGScM1WtlhL0T/cVmtwmlPIfDTHxfCtISSQKKeprT69QVANs7KlmFpRo2CAP
9zXcfcpqBOU2pISumDzagf+enw31Ov3S3mv2X1MQ1BR4SiWwMpJz6C0yJdhjCZsF
o393nA4JbBM=
=tOJ5
-----END PGP SIGNATURE-----