Operating System:

[OSX]

Published:

22 March 2016

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0748
                              OS X Server 5.1
                               22 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OS X Server
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Reduced Security               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1787 CVE-2016-1777 CVE-2016-1776
                   CVE-2016-1774  

Original Bulletin: 
   https://support.apple.com/en-au/HT206173

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-03-21-7 OS X Server 5.1

OS X Server 5.1 is now available and addresses the following:

Server App
Available for:  OS X Yosemite v10.10.5 and later
Impact:  An administrator may unknowingly store backups on a volume
without permissions enabled
Description:  An issue in Time Machine server did not properly warn
administrators if permissions were ignored when performing a server
backup. This issue was addressed through improved warnings.
CVE-ID
CVE-2016-1774 : CJKApps

Web Server
Available for:  OS X Yosemite v10.10.5 and later
Impact:  An attacker may be able to exploit weaknesses in the RC4
cryptographic algorithm
Description:  RC4 was removed as a supported cipher.
CVE-ID
CVE-2016-1777 : Pepi Zawodsky

Web Server
Available for:  OS X Yosemite v10.10.5 and later
Impact:  A remote user may be able to view sensitive configuration
information
Description:  A file access issue existed in Apache with .DS_Store
and .htaccess files. This issue was addressed through improved access
restrictions.
CVE-ID
CVE-2016-1776 : Shawn Pullum of University of California, Irvine

Wiki Server
Available for:  OS X Yosemite v10.10.5 and later
Impact:  An attacker in a privileged network position may be able to
leak sensitive user information
Description:  An access issue existed in some Wiki pages. This issue
was addressed through improved access restrictions.
CVE-ID
CVE-2016-1787 : an anonymous researcher

OS X Server 5.1 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJW8JQQAAoJEBcWfLTuOo7txasP/RcVgQ2t03szn0LLt0PSFjD9
PZg339iTYRk7sCHyNYwEnBeqdyDuO3005d4yaZ2R2OAI8Q806DJSpcTMG8Nu3sm3
xXceiVb/k+sRzh0nJaSHSVkw2GRzElsm5i6b3yFndeVnXF9eDphrjTeV2MFvoTRl
t2Ml6IiTu944yJlh/NOmdjQZ+Uc2I+REDbUimeCMJVuuVmtd9UNS5VesC5u1BHyb
bDmrd+pazmEjGwWwvxTE4raN7o/st7ZV2uxcjl8/73b/lVy9wBR/J4sxltyWNnm8
PJKbn/J5t8+tqKHupVvOuj4L6GnsOe154oL7bbOmrAhkVBeqBSdUBe9eQNIH0ji3
YwUdyDb3Wy1SyVNvN69tTd+ICTyh7XQQWMUTqV3xgp6tNJ19FXPdv9K/E55n62kw
alfIzLhRafLV7NzUbAgsY8iuC6b3YTd9EJM0mDuh8hlTWYRC7N8HEtyxe4hAhfuO
wMy1sRXWAiTBIZRJKL8KgAiIf7GdyKOvhgfcoL3dEGe5lw2Z9DCHyRihMOWFo2/Q
LsJTxV9grMWN4WJLAm0h9z6AVbIELpRp4HBiq95ndaWm7bZbj6tFCRXvQaMerPut
kuXD3izfEVZvtCSs7i4HKPgZLRgFRd687yVYeTSx2nyhOIeKd+tTfmUjMEw06PaT
9p0+e+mVlJlCmWiFIwsu
=nxck
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvDNOn6ZAP0PgtI9AQJ6uQ//UOoVLoJDBzwRbCZjb/JaOvoEUGiHDFi8
vfdX+kac0IwRzejW0MgSVZQjRUa12Gj/UZwVaOC9eI+FfXakSQrbUxvBo987XKMe
TtfDzXfP1YNGjOIwqS3fHjb43kn9lpepzLUkDfUBsGUk42BLDvSWUYL5ZqRed51Y
XB8VS/ieQeh2B+rdrKlKdZzazPML9KoBSTnom5adKCwKkto5Trlp2yTPAk5CGIDF
ZxTBgxyoT34YD16GYSAnH12Jj31tFUAdcjBUrEtZbFL3LdCqLQes5nvs+Y8AnDuG
7o/fMqoW2l6N3dFKaKdM5cZtvgcMd4UZEmtxWuosqlqjvtsOvNOyB13kt9X3Wxrt
UmlVoOwQSLvs6pPpglnKUNLZ4CEIlmEkkGc+AajL8X2wlhIqFELESMett8Y0OVsl
RWy1LhVGMW3q+fEu5OxhNRf/J0+zaI3SFfHhQtCqaAtLRHDNBA2JdmKGP120h+tt
iE87g488CRSRRvNqftbTjPPYVHcR4jsvNGyvOdeF8lFHK+8i03IMbD9yDKjeXo5E
44E5dUhYCglhbENqyOc9RrZtkBuqcB+d7W0udjGL0bp3irJrEiYGBNKlzqevlZS2
ncpXn94b4yIm4C2vpwy8FOBwLyqEwRmgwISr9vhsVBalSSfUdsuiEZNz9zQkD+qq
NGLfhQJismg=
=Wpsd
-----END PGP SIGNATURE-----