Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0748 OS X Server 5.1 22 March 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OS X Server Publisher: Apple Operating System: OS X Impact/Access: Access Privileged Data -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-1787 CVE-2016-1777 CVE-2016-1776 CVE-2016-1774 Original Bulletin: https://support.apple.com/en-au/HT206173 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-03-21-7 OS X Server 5.1 OS X Server 5.1 is now available and addresses the following: Server App Available for: OS X Yosemite v10.10.5 and later Impact: An administrator may unknowingly store backups on a volume without permissions enabled Description: An issue in Time Machine server did not properly warn administrators if permissions were ignored when performing a server backup. This issue was addressed through improved warnings. CVE-ID CVE-2016-1774 : CJKApps Web Server Available for: OS X Yosemite v10.10.5 and later Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: RC4 was removed as a supported cipher. CVE-ID CVE-2016-1777 : Pepi Zawodsky Web Server Available for: OS X Yosemite v10.10.5 and later Impact: A remote user may be able to view sensitive configuration information Description: A file access issue existed in Apache with .DS_Store and .htaccess files. This issue was addressed through improved access restrictions. CVE-ID CVE-2016-1776 : Shawn Pullum of University of California, Irvine Wiki Server Available for: OS X Yosemite v10.10.5 and later Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An access issue existed in some Wiki pages. This issue was addressed through improved access restrictions. CVE-ID CVE-2016-1787 : an anonymous researcher OS X Server 5.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJW8JQQAAoJEBcWfLTuOo7txasP/RcVgQ2t03szn0LLt0PSFjD9 PZg339iTYRk7sCHyNYwEnBeqdyDuO3005d4yaZ2R2OAI8Q806DJSpcTMG8Nu3sm3 xXceiVb/k+sRzh0nJaSHSVkw2GRzElsm5i6b3yFndeVnXF9eDphrjTeV2MFvoTRl t2Ml6IiTu944yJlh/NOmdjQZ+Uc2I+REDbUimeCMJVuuVmtd9UNS5VesC5u1BHyb bDmrd+pazmEjGwWwvxTE4raN7o/st7ZV2uxcjl8/73b/lVy9wBR/J4sxltyWNnm8 PJKbn/J5t8+tqKHupVvOuj4L6GnsOe154oL7bbOmrAhkVBeqBSdUBe9eQNIH0ji3 YwUdyDb3Wy1SyVNvN69tTd+ICTyh7XQQWMUTqV3xgp6tNJ19FXPdv9K/E55n62kw alfIzLhRafLV7NzUbAgsY8iuC6b3YTd9EJM0mDuh8hlTWYRC7N8HEtyxe4hAhfuO wMy1sRXWAiTBIZRJKL8KgAiIf7GdyKOvhgfcoL3dEGe5lw2Z9DCHyRihMOWFo2/Q LsJTxV9grMWN4WJLAm0h9z6AVbIELpRp4HBiq95ndaWm7bZbj6tFCRXvQaMerPut kuXD3izfEVZvtCSs7i4HKPgZLRgFRd687yVYeTSx2nyhOIeKd+tTfmUjMEw06PaT 9p0+e+mVlJlCmWiFIwsu =nxck - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVvDNOn6ZAP0PgtI9AQJ6uQ//UOoVLoJDBzwRbCZjb/JaOvoEUGiHDFi8 vfdX+kac0IwRzejW0MgSVZQjRUa12Gj/UZwVaOC9eI+FfXakSQrbUxvBo987XKMe TtfDzXfP1YNGjOIwqS3fHjb43kn9lpepzLUkDfUBsGUk42BLDvSWUYL5ZqRed51Y XB8VS/ieQeh2B+rdrKlKdZzazPML9KoBSTnom5adKCwKkto5Trlp2yTPAk5CGIDF ZxTBgxyoT34YD16GYSAnH12Jj31tFUAdcjBUrEtZbFL3LdCqLQes5nvs+Y8AnDuG 7o/fMqoW2l6N3dFKaKdM5cZtvgcMd4UZEmtxWuosqlqjvtsOvNOyB13kt9X3Wxrt UmlVoOwQSLvs6pPpglnKUNLZ4CEIlmEkkGc+AajL8X2wlhIqFELESMett8Y0OVsl RWy1LhVGMW3q+fEu5OxhNRf/J0+zaI3SFfHhQtCqaAtLRHDNBA2JdmKGP120h+tt iE87g488CRSRRvNqftbTjPPYVHcR4jsvNGyvOdeF8lFHK+8i03IMbD9yDKjeXo5E 44E5dUhYCglhbENqyOc9RrZtkBuqcB+d7W0udjGL0bp3irJrEiYGBNKlzqevlZS2 ncpXn94b4yIm4C2vpwy8FOBwLyqEwRmgwISr9vhsVBalSSfUdsuiEZNz9zQkD+qq NGLfhQJismg= =Wpsd -----END PGP SIGNATURE-----