-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2655
           OS X El Capitan 10.11.1 and Security Update 2015-007
                              22 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OS X
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Root Compromise                 -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-7035 CVE-2015-7023 CVE-2015-7021
                   CVE-2015-7020 CVE-2015-7019 CVE-2015-7018
                   CVE-2015-7017 CVE-2015-7016 CVE-2015-7015
                   CVE-2015-7010 CVE-2015-7009 CVE-2015-7008
                   CVE-2015-7007 CVE-2015-7006 CVE-2015-7003
                   CVE-2015-6996 CVE-2015-6995 CVE-2015-6994
                   CVE-2015-6993 CVE-2015-6992 CVE-2015-6991
                   CVE-2015-6990 CVE-2015-6989 CVE-2015-6988
                   CVE-2015-6987 CVE-2015-6985 CVE-2015-6984
                   CVE-2015-6983 CVE-2015-6978 CVE-2015-6977
                   CVE-2015-6976 CVE-2015-6975 CVE-2015-6974
                   CVE-2015-6838 CVE-2015-6837 CVE-2015-6836
                   CVE-2015-6835 CVE-2015-6834 CVE-2015-6563
                   CVE-2015-5945 CVE-2015-5944 CVE-2015-5943
                   CVE-2015-5942 CVE-2015-5940 CVE-2015-5939
                   CVE-2015-5938 CVE-2015-5937 CVE-2015-5936
                   CVE-2015-5935 CVE-2015-5934 CVE-2015-5933
                   CVE-2015-5932 CVE-2015-5927 CVE-2015-5926
                   CVE-2015-5925 CVE-2015-5924 CVE-2015-0273
                   CVE-2015-0235 CVE-2014-3565 CVE-2012-6151

Reference:         ASB-2015.0103
                   ASB-2015.0090
                   ASB-2015.0070
                   ASB-2015.0035
                   ESB-2015.0203
                   ESB-2015.0190
                   ESB-2015.0188
                   ESB-2014.0387

Original Bulletin: 
   https://support.apple.com/en-au/HT205375

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2015-10-21-4 OS X El Capitan 10.11.1 and Security Update
2015-007

OS X El Capitan 10.11.1 and Security Update 2015-007 are now
available and address the following:

Accelerate Framework
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in the Accelerate
Framework in multi-threading mode. This issue was addressed through
improved accessor element validation and improved object locking.
CVE-ID
CVE-2015-5940 : Apple

apache_mod_php
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Multiple vulnerabilities in PHP
Description:  Multiple vulnerabilities existed in PHP versions prior
to 5.5.29 and 5.4.45. These were addressed by updating PHP to
versions 5.5.29 and 5.4.45.
CVE-ID
CVE-2015-0235
CVE-2015-0273
CVE-2015-6834
CVE-2015-6835
CVE-2015-6836
CVE-2015-6837
CVE-2015-6838

ATS
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in ATS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-6985 : John Villamil (@day6reak), Yahoo Pentest Team

Audio
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code
Description:  An uninitialized memory issue existed in coreaudiod.
This issue was addressed through improved memory initialization.
CVE-ID
CVE-2015-7003 : Mark Brand of Google Project Zero

Audio
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Playing a malicious audio file may lead to arbitrary code
execution
Description:  Multiple memory corruption issues existed in the
handling of audio files. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5933 : Apple
CVE-2015-5934 : Apple

Bom
Available for:  OS X El Capitan 10.11
Impact:  Unpacking a maliciously crafted archive may lead to
arbitrary code execution
Description:  A file traversal vulnerability existed in the handling
of CPIO archives. This issue was addressed through improved
validation of metadata.
CVE-ID
CVE-2015-7006 : Mark Dowd of Azimuth Security

CFNetwork
Available for:  OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to cookies
being overwritten
Description:  A parsing issue existed when handling cookies with
different letter casing. This issue was addressed through improved
parsing.
CVE-ID
CVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of
Tsinghua University, Jian Jiang of University of California,
Berkeley, Haixin Duan of Tsinghua University and International
Computer Science Institute, Shuo Chen of Microsoft Research Redmond,
Tao Wan of Huawei Canada, Nicholas Weaver of International Computer
Science Institute and University of California, Berkeley, coordinated
via CERT/CC

configd
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to elevate privileges
Description:  A heap based buffer overflow issue existed in the DNS
client library. A malicious application with the ability to spoof
responses from the local configd service may have been able to cause
arbitrary code execution in DNS clients.
CVE-ID
CVE-2015-7015 : PanguTeam

CoreGraphics
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in
CoreGraphics. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5925 : Apple
CVE-2015-5926 : Apple

CoreText
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6992 : John Villamil (@day6reak), Yahoo Pentest Team

CoreText
Available for:  OS X Yosemite v10.10.5 and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6975 : John Villamil (@day6reak), Yahoo Pentest Team

CoreText
Available for:  OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-7017 : John Villamil (@day6reak), Yahoo Pentest Team

CoreText
Available for:  OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-5944 : John Villamil (@day6reak), Yahoo Pentest Team

Disk Images
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6995 : Ian Beer of Google Project Zero

EFI
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  An attacker can exercise unused EFI functions
Description:  An issue existed with EFI argument handling. This was
addressed by removing the affected functions.
CVE-ID
CVE-2015-7035 : Corey Kallenberg, Xeno Kovah, John Butterworth, and
Sam Cornwell of The MITRE Corporation, coordinated via CERT/CC

File Bookmark
Available for:  OS X El Capitan 10.11
Impact:  Browsing to a folder with malformed bookmarks may cause
unexpected application termination
Description:  An input validation issue existed in parsing bookmark
metadata. This issue was addressed through improved validation
checks.
CVE-ID
CVE-2015-6987 : Luca Todesco (@qwertyoruiop)

FontParser
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-5927 : Apple
CVE-2015-5942
CVE-2015-6976 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6977 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero
Day Initiative
CVE-2015-6991 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6993 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7009 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7010 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7018 : John Villamil (@day6reak), Yahoo Pentest Team

FontParser
Available for:  OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6990 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7008 : John Villamil (@day6reak), Yahoo Pentest Team

Grand Central Dispatch
Available for:  OS X Yosemite v10.10.5 and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted package may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the handling of
dispatch calls. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6989 : Apple

Graphics Drivers
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to cause unexpected system
termination or read kernel memory
Description:  Multiple out of bounds read issues existed in the
NVIDIA graphics driver. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-7019 : Ian Beer of Google Project Zero
CVE-2015-7020 : Moony Li of Trend Micro

Graphics Drivers
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7021 : Moony Li of Trend Micro

ImageIO
Available for:  OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
Impact:  Processing a maliciously crafted image file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
parsing of image metadata. These issues were addressed through
improved metadata validation.
CVE-ID
CVE-2015-5935 : Apple
CVE-2015-5938 : Apple

ImageIO
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted image file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
parsing of image metadata. These issues were addressed through
improved metadata validation.
CVE-ID
CVE-2015-5936 : Apple
CVE-2015-5937 : Apple
CVE-2015-5939 : Apple

IOAcceleratorFamily
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in
IOAcceleratorFamily. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6996 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6974 : Luca Todesco (@qwertyoruiop)

Kernel
Available for:  OS X Yosemite v10.10.5
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A type confusion issue existed in the validation of
Mach tasks. This issue was addressed through improved Mach task
validation.
CVE-ID
CVE-2015-5932 : Luca Todesco (@qwertyoruiop), Filippo Bigarella

Kernel
Available for:  OS X El Capitan 10.11
Impact:  An attacker with a privileged network position may be able
to execute arbitrary code
Description:  An uninitialized memory issue existed in the kernel.
This issue was addressed through improved memory initialization.
CVE-ID
CVE-2015-6988 : The Brainy Code Scanner (m00nbsd)

Kernel
Available for:  OS X El Capitan 10.11
Impact:  A local application may be able to cause a denial of service
Description:  An issue existed when reusing virtual memory. This
issue was addressed through improved validation.
CVE-ID
CVE-2015-6994 : Mark Mentovai of Google Inc.

libarchive
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  A malicious application may be able to overwrite arbitrary
files
Description:  An issue existed within the path validation logic for
symlinks. This issue was addressed through improved path
sanitization.
CVE-ID
CVE-2015-6984 : Christopher Crone of Infinit, Jonathan Schleifer

MCX Application Restrictions
Available for:  OS X Yosemite v10.10.5 and OS X El Capitan 10.11
Impact:  A developer-signed executable may acquire restricted
entitlements
Description:  An entitlement validation issue existed in Managed
Configuration. A developer-signed app could bypass restrictions on
use of restricted entitlements and elevate privileges. This issue was
addressed through improved provisioning profile validation.
CVE-ID
CVE-2015-7016 : Apple

Net-SNMP
Available for:  OS X El Capitan 10.11
Impact:  An attacker in a privileged network position may be able to
cause a denial of service
Description:  Multiple issues existed in netsnmp version 5.6. These
issues were addressed by using patches affecting OS X from upstream.
CVE-ID
CVE-2012-6151
CVE-2014-3565

OpenGL
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in OpenGL. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5924 : Apple

OpenSSH
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to conduct impersonation attacks
Description:  A privilege separation issue existed in PAM support.
This issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-6563 : Moritz Jodeit of Blue Frost Security GmbH

Sandbox
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  An input validation issue existed when handling NVRAM
parameters. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5945 : Rich Trouton (@rtrouton), Howard Hughes Medical
Institute, Apple

Script Editor
Available for:  OS X El Capitan 10.11
Impact:  An attacker may trick a user into running arbitrary
AppleScript
Description:  In some circumstances, Script Editor did not ask for
user confirmation before executing AppleScripts. This issue was
addressed by prompting for user confirmation before executing
AppleScripts.
CVE-ID
CVE-2015-7007 : Joe Vennix of Rapid7

Security
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to overwrite arbitrary
files
Description:  A double free issue existed in the handling of
AtomicBufferedFile descriptors. This issue was addressed through
improved validation of AtomicBufferedFile descriptors.
CVE-ID
CVE-2015-6983 : David Benjamin, Greg Kerr, Mark Mentovai and Sergey
Ulanov from the Chrome Team

SecurityAgent
Available for:  OS X El Capitan 10.11
Impact:  A malicious application can programmatically control
keychain access prompts
Description:  A method existed for applications to create synthetic
clicks on keychain prompts. This was addressed by disabling synthetic
clicks for keychain access windows.
CVE-ID
CVE-2015-5943

Installation note:

OS X El Capitan v10.11.1 includes the security content of
Safari 9.0.1: https://support.apple.com/kb/HT205377

OS X El Capitan 10.11.1 and Security Update 2015-007 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVihKln6ZAP0PgtI9AQLc7Q/+JQDE8RoRBzfVy8GgyZRTlliwmiiBSujd
Px/1naf7MoJITbXZi7btTbjzDVaHZo2TTfpEqcVYR0fY/Uip4FNwm5hdSvYnk4Nu
sDfrZ/P/r606wMNoKrIciqcLI6TbzQvj1CX6IU7XBUOa/Mu30Imt+KHofLpBsuii
GAznIfqFh+ewu5Z0LGEzqoWH+mrCLaiMUF1YnYbYW30dWJqIoQDYCdBywzMnErBM
lPMQEeM5M1hlPoLsh/sDzO3y32wkCP3gqsUxaxE68AXedyh94pEtZvU868i0ScPh
WibOoQLOZTJ7ufqIgmHtbaUt4V88XTjbLbuOKeiFDolwmQilcdfhBv3MLDVD5mEo
xmlSQWMv/uiueyEFAf/yvaIY4/FxOxlvCRvD4UtR4DZMhpw9/7KfjxuL6vQ7+Zw0
7JLRCxqzRKwWQ/BkMLSYW4k4JTijnqB/96LB6/N7W9KZ1zuYOh6kycn1PPn3eVE0
zGfaw5pJP6D5MRRAEjj6gxa8P1QXPpWvNKVEnaidwf7DR/YpSgreMCpKc/8ie1eQ
DuT31HclzWCsdpN8AF3HLzXLXOOwu7J0ghn/vJCI3Xg6tmM/eubh6aS3/JbV/tYA
vG2+AJ3TvqAtDJuQ5y++GcddsdMilfbHm/XIWS1qAFmSkBPkfachq33P3T0w3IJJ
6RZOlz5MqR8=
=L4st
-----END PGP SIGNATURE-----