Operating System:

[OSX]

Published:

28 March 2017

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0814
        macOS Sierra 10.12.4, Security Update 2017-001 El Capitan,
                   and Security Update 2017-001 Yosemite
                               28 March 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           macOS
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Root Compromise                 -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Increased Privileges            -- Existing Account            
                   Access Privileged Data          -- Remote with User Interaction
                   Modify Permissions              -- Existing Account            
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6974 CVE-2017-5486 CVE-2017-5485
                   CVE-2017-5484 CVE-2017-5483 CVE-2017-5482
                   CVE-2017-5342 CVE-2017-5341 CVE-2017-5205
                   CVE-2017-5204 CVE-2017-5203 CVE-2017-5202
                   CVE-2017-2487 CVE-2017-2486 CVE-2017-2485
                   CVE-2017-2483 CVE-2017-2482 CVE-2017-2478
                   CVE-2017-2474 CVE-2017-2473 CVE-2017-2472
                   CVE-2017-2467 CVE-2017-2462 CVE-2017-2461
                   CVE-2017-2458 CVE-2017-2457 CVE-2017-2456
                   CVE-2017-2451 CVE-2017-2450 CVE-2017-2449
                   CVE-2017-2448 CVE-2017-2443 CVE-2017-2441
                   CVE-2017-2440 CVE-2017-2439 CVE-2017-2438
                   CVE-2017-2437 CVE-2017-2436 CVE-2017-2435
                   CVE-2017-2432 CVE-2017-2431 CVE-2017-2430
                   CVE-2017-2429 CVE-2017-2428 CVE-2017-2427
                   CVE-2017-2426 CVE-2017-2425 CVE-2017-2423
                   CVE-2017-2422 CVE-2017-2421 CVE-2017-2420
                   CVE-2017-2418 CVE-2017-2417 CVE-2017-2416
                   CVE-2017-2413 CVE-2017-2410 CVE-2017-2409
                   CVE-2017-2408 CVE-2017-2407 CVE-2017-2406
                   CVE-2017-2403 CVE-2017-2402 CVE-2017-2401
                   CVE-2017-2398 CVE-2017-2392 CVE-2017-2390
                   CVE-2017-2388 CVE-2017-2381 CVE-2017-2379
                   CVE-2016-10161 CVE-2016-10160 CVE-2016-10159
                   CVE-2016-10158 CVE-2016-10012 CVE-2016-10011
                   CVE-2016-10010 CVE-2016-10009 CVE-2016-9935
                   CVE-2016-9586 CVE-2016-9540 CVE-2016-9539
                   CVE-2016-9538 CVE-2016-9537 CVE-2016-9536
                   CVE-2016-9535 CVE-2016-9533 CVE-2016-8743
                   CVE-2016-8740 CVE-2016-8575 CVE-2016-8574
                   CVE-2016-7993 CVE-2016-7992 CVE-2016-7986
                   CVE-2016-7985 CVE-2016-7984 CVE-2016-7983
                   CVE-2016-7975 CVE-2016-7974 CVE-2016-7973
                   CVE-2016-7940 CVE-2016-7939 CVE-2016-7938
                   CVE-2016-7937 CVE-2016-7936 CVE-2016-7935
                   CVE-2016-7934 CVE-2016-7933 CVE-2016-7932
                   CVE-2016-7931 CVE-2016-7930 CVE-2016-7929
                   CVE-2016-7928 CVE-2016-7927 CVE-2016-7926
                   CVE-2016-7925 CVE-2016-7924 CVE-2016-7923
                   CVE-2016-7922 CVE-2016-7585 CVE-2016-7056
                   CVE-2016-5636 CVE-2016-5387 CVE-2016-3619
                   CVE-2016-2161 CVE-2016-0736 

Reference:         ASB-2017.0021
                   ASB-2017.0014
                   ASB-2016.0108
                   ESB-2016.1766
                   ESB-2016.1765
                   ESB-2016.1764

Original Bulletin: 
   https://support.apple.com/en-au/HT207615

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2017-03-27-3 macOS Sierra 10.12.4, Security Update
2017-001 El Capitan, and Security Update 2017-001 Yosemite

macOS Sierra 10.12.4, Security Update 2017-001 El Capitan,
and Security Update 2017-001 Yosemite are now available and
address the following:

apache
Available for:  macOS Sierra 10.12.3
Impact: A remote attacker may be able to cause a denial of service
Description: Multiple issues existed in Apache before 2.4.25. These
were addressed by updating LibreSSL to version 2.4.25.
CVE-2016-0736: an anonymous researcher
CVE-2016-2161: an anonymous researcher
CVE-2016-5387: an anonymous researcher
CVE-2016-8740: an anonymous researcher
CVE-2016-8743: an anonymous researcher

apache_mod_php
Available for:  macOS Sierra 10.12.3
Impact: Multiple issues existed in PHP before 5.6.30
Description: Multiple issues existed in PHP before 5.6.30. These were
addressed by updating PHP to version 5.6.30.
CVE-2016-10158
CVE-2016-10159
CVE-2016-10160
CVE-2016-10161
CVE-2016-9935

AppleGraphicsPowerManagement
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed through improved memory
handling.
CVE-2017-2421: @cocoahuke

AppleRAID
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2438: sss and Axis of 360Nirvanteam

Audio
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2430: an anonymous researcher working with Trend Micro’s
Zero Day Initiative
CVE-2017-2462: an anonymous researcher working with Trend Micro’s
Zero Day Initiative

Bluetooth
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2017-2420: Pekka Oikarainen, Matias Karhumaa and Marko Laakso of
Synopsys Software Integrity Group

Bluetooth
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2017-2427: Axis and sss of Qihoo 360 Nirvan Team

Bluetooth
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2449: sss and Axis from 360NirvanTeam

Carbon
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted .dfont file may lead to
arbitrary code execution
Description: A buffer overflow existed in the handling of font files.
This issue was addressed through improved bounds checking.
CVE-2017-2379: riusksk (泉哥) of Tencent Security Platform
Department, John Villamil, Doyensec

CoreGraphics
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: An infinite recursion was addressed through improved
state management.
CVE-2017-2417: riusksk (泉哥) of Tencent Security Platform
Department

CoreMedia
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted .mov file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
.mov files. This issue was addressed through improved memory
management.
CVE-2017-2431: kimyok of Tencent Security Platform Department

CoreText
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2435: John Villamil, Doyensec

CoreText
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed through improved
input validation.
CVE-2017-2450: John Villamil, Doyensec

CoreText
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted text message may lead to
application denial of service
Description: A resource exhaustion issue was addressed through
improved input validation.
CVE-2017-2461: Isaac Archambault of IDAoADI, an anonymous researcher

curl
Available for:  macOS Sierra 10.12.3
Impact: Maliciously crafted user input to libcurl API may allow
arbitrary code execution
Description: A buffer overflow was addressed through improved bounds
checking.
CVE-2016-9586: Daniel Stenberg of Mozilla

EFI
Available for:  macOS Sierra 10.12.3
Impact: A malicious Thunderbolt adapter may be able to recover the
FileVault 2 encryption password
Description: An issue existed in the handling of DMA. This issue was
addressed by enabling VT-d in EFI.
CVE-2016-7585: Ulf Frisk (@UlfFrisk)

FinderKit
Available for:  macOS Sierra 10.12.3
Impact: Permissions may unexpectedly reset when sending links
Description: A permission issue existed in the handling of the Send
Link feature of iCloud Sharing. This issue was addressed through
improved permission controls.
CVE-2017-2429

FontParser
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2406: riusksk (泉哥) of Tencent Security Platform
Department
CVE-2017-2487: riusksk (泉哥) of Tencent Security Platform
Department

FontParser
Available for:  macOS Sierra 10.12.3
Impact: Parsing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2407: riusksk (泉哥) of Tencent Security Platform
Department

FontParser
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed through improved
input validation.
CVE-2017-2439: John Villamil, Doyensec

HTTPProtocol
Available for:  macOS Sierra 10.12.3
Impact: A malicious HTTP/2 server may be able to cause undefined
behavior
Description: Multiple issues existed in nghttp2 before 1.17.0. These
were addressed by updating LibreSSL to version 1.17.0.
CVE-2017-2428

Hypervisor
Available for:  macOS Sierra 10.12.3
Impact: Applications using the Hypervisor framework may unexpectedly
leak the CR8 control register between guest and host
Description: An information leakage issue was addressed through
improved state management.
CVE-2017-2418: Alex Fishman and Izik Eidus of Veertu Inc.

iBooks
Available for:  macOS Sierra 10.12.3
Impact: Parsing a maliciously crafted iBooks file may lead to local
file disclosure
Description: An information leak existed in the handling of file
URLs. This issue was addressed through improved URL handling.
CVE-2017-2426: Craig Arendt of Stratum Security, Jun Kokatsu
(@shhnjk)

ImageIO
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2416: Qidan He (何淇丹, @flanker_hqd) of KeenLab, Tencent

ImageIO
Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6,
and OS X Yosemite v10.10.5
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2432: an anonymous researcher working with Trend Micro's
Zero Day Initiative

ImageIO
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2467

ImageIO
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to unexpected
application termination
Description: An out-of-bound read existed in LibTIFF versions before
4.0.7. This was addressed by updating LibTIFF in ImageIO to version
4.0.7.
CVE-2016-3619

Intel Graphics Driver
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2443: Ian Beer of Google Project Zero

IOATAFamily
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2017-2408: Yangkang (@dnpushme) of Qihoo360 Qex Team

IOFireWireAVC
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2436: Orr A, IBM Security

IOFireWireAVC
Available for:  macOS Sierra 10.12.3
Impact: A local attacker may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2437: Benjamin Gnahm (@mitp0sh) of Blue Frost Security

IOFireWireFamily
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to cause a denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2017-2388: Brandon Azad, an anonymous researcher

Kernel
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2398: Lufeng Li of Qihoo 360 Vulcan Team
CVE-2017-2401: Lufeng Li of Qihoo 360 Vulcan Team

Kernel
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An input validation issue existed in the kernel. This
issue was addressed through improved input validation.
CVE-2017-2410: Apple

Kernel
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An integer overflow was addressed through improved input
validation.
CVE-2017-2440: an anonymous researcher

Kernel
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with root privileges
Description: A race condition was addressed through improved memory
handling.
CVE-2017-2456: lokihardt of Google Project Zero

Kernel
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2472: Ian Beer of Google Project Zero

Kernel
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2473: Ian Beer of Google Project Zero

Kernel
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An off-by-one issue was addressed through improved
bounds checking.
CVE-2017-2474: Ian Beer of Google Project Zero

Kernel
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition was addressed through improved locking.
CVE-2017-2478: Ian Beer of Google Project Zero

Kernel
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2482: Ian Beer of Google Project Zero
CVE-2017-2483: Ian Beer of Google Project Zero

Keyboards
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code
Description: A buffer overflow was addressed through improved bounds
checking.
CVE-2017-2458: Shashank (@cyberboyIndia)

libarchive
Available for:  macOS Sierra 10.12.3
Impact: A local attacker may be able to change file system
permissions on arbitrary directories
Description: A validation issue existed in the handling of symlinks.
This issue was addressed through improved validation of symlinks.
CVE-2017-2390: Omer Medan of enSilo Ltd

libc++abi
Available for:  macOS Sierra 10.12.3
Impact: Demangling a malicious C++ application may lead to arbitrary
code execution
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2441

LibreSSL
Available for: macOS Sierra 10.12.3, and OS X El Capitan v10.11.6
Impact: A local user may be able to leak sensitive user information
Description: A timing side channel allowed an attacker to recover
keys. This issue was addressed by introducing constant time
computation.
CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere
University of Technology)

MCX Client
Available for:  macOS Sierra 10.12.3
Impact: Removing a configuration profile with multiple payloads may
not remove Active Directory certificate trust
Description: An issue existed in profile uninstallation. This issue
was addressed through improved cleanup.
CVE-2017-2402: an anonymous researcher

Menus
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to disclose process memory
Description: An out-of-bounds read was addressed through improved
input validation.
CVE-2017-2409: Sergey Bylokhov

Multi-Touch
Available for:  macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2017-2422: @cocoahuke

OpenSSH
Available for:  macOS Sierra 10.12.3
Impact: Multiple issues in OpenSSH
Description: Multiple issues existed in OpenSSH before version 7.4.
These were addressed by updating OpenSSH to version 7.4.
CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012

OpenSSL
Available for:  macOS Sierra 10.12.3
Impact: A local user may be able to leak sensitive user information
Description: A timing side channel issue was addressed by using
constant time computation.
CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere
University of Technology)

Printing
Available for:  macOS Sierra 10.12.3
Impact: Clicking a malicious IPP(S) link may lead to arbitrary code
execution
Description: An uncontrolled format string issue was addressed
through improved input validation.
CVE-2017-2403: beist of GrayHash

python
Available for:  macOS Sierra 10.12.3
Impact: Processing maliciously crafted zip archives with Python may
lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of zip
archives. This issue was addressed through improved input validation.
CVE-2016-5636

QuickTime
Available for:  macOS Sierra 10.12.3
Impact: Viewing a maliciously crafted media file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in QuickTime. This
issue was addressed through improved memory handling.
CVE-2017-2413: Simon Huang(@HuangShaomang) and pjf of IceSword Lab of
Qihoo 360

Security
Available for:  macOS Sierra 10.12.3
Impact: Validating empty signatures with SecKeyRawVerify() may
unexpectedly succeed
Description: An validation issue existed with cryptographic API
calls. This issue was addressed through improved parameter
validation.
CVE-2017-2423: an anonymous researcher

Security
Available for:  macOS Sierra 10.12.3
Impact: An attacker with a privileged network position may capture or
modify data in sessions protected by SSL/TLS
Description: Under certain circumstances, Secure Transport failed to
validate the authenticity of OTR packets. This issue was addressed by
restoring missing validation steps.
CVE-2017-2448: Alex Radocea of Longterm Security, Inc.

Security
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with
root privileges
Description: A buffer overflow was addressed through improved bounds
checking.
CVE-2017-2451: Alex Radocea of Longterm Security, Inc.

Security
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted x509 certificate may lead to
arbitrary code execution
Description: A memory corruption issue existed in the parsing of
certificates. This issue was addressed through improved input
validation.
CVE-2017-2485: Aleksandar Nikolic of Cisco Talos

SecurityFoundation
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted certificate may lead to
arbitrary code execution
Description: A double free issue was addressed through improved
memory management.
CVE-2017-2425: kimyok of Tencent Security Platform Department

sudo
Available for:  macOS Sierra 10.12.3
Impact: A user in an group named "admin" on a network directory
server may be able to unexpectedly escalate privileges using sudo
Description: An access issue existed in sudo. This issue was
addressed through improved permissions checking.
CVE-2017-2381

System Integrity Protection
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to modify protected
disk locations
Description: A validation issue existed in the handling of
system installation. This issue was addressed through improved
handling and validation during the installation process.
CVE-2017-6974: Patrick Wardle of Synack

tcpdump
Available for:  macOS Sierra 10.12.3
Impact: An attacker in a privileged network position may be able to
execute arbitrary code with user assistance
Description: Multiple issues existed in tcpdump before 4.9.0. These
were addressed by updating tcpdump to version 4.9.0.
CVE-2016-7922
CVE-2016-7923
CVE-2016-7924
CVE-2016-7925
CVE-2016-7926
CVE-2016-7927
CVE-2016-7928
CVE-2016-7929
CVE-2016-7930
CVE-2016-7931
CVE-2016-7932
CVE-2016-7933
CVE-2016-7934
CVE-2016-7935
CVE-2016-7936
CVE-2016-7937
CVE-2016-7938
CVE-2016-7939
CVE-2016-7940
CVE-2016-7973
CVE-2016-7974
CVE-2016-7975
CVE-2016-7983
CVE-2016-7984
CVE-2016-7985
CVE-2016-7986
CVE-2016-7992
CVE-2016-7993
CVE-2016-8574
CVE-2016-8575
CVE-2017-5202
CVE-2017-5203
CVE-2017-5204
CVE-2017-5205
CVE-2017-5341
CVE-2017-5342
CVE-2017-5482
CVE-2017-5483
CVE-2017-5484
CVE-2017-5485
CVE-2017-5486

tiffutil
Available for:  macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to unexpected
application termination
Description: An out-of-bound read existed in LibTIFF versions before
4.0.7. This was addressed by updating LibTIFF in AKCmds to version
4.0.7.
CVE-2016-3619
CVE-2016-9533
CVE-2016-9535
CVE-2016-9536
CVE-2016-9537
CVE-2016-9538
CVE-2016-9539
CVE-2016-9540

WebKit
Available for:  macOS Sierra 10.12.3
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed
through improved state management.
CVE-2017-2486: redrain of light4freedom

WebKit
Available for:  macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2017-2392: Max Bazaliy of Lookout

WebKit
Available for:  macOS Sierra 10.12.3
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2457: lokihardt of Google Project Zero

Installation note:

macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and
Security Update 2017-001 Yosemite may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWNnMiYx+lLeg9Ub1AQjJWg/+Ic096cL4G6ex8f7BEYh2SiOXHWnIq/K4
om73JFqcjcM5pogrlxx2m79udaIuUMWNQWWjWfqA+w/laJBnwB0aqgpeUbtagKBs
tXwBf5B0vOIf6l/LN+j+9FDtcz/+bM6xNRos+UsqAUpMt9qNBAiDFBssdGP3Cjfv
90SBBu+HonWaqFWh6HOnOPWgMtPuvEeig6gXZ19UGMrnG+dwsmF+0MdUTnqnbwqD
pYMztJJIJWXA+mGMazOtBHy04hjnV28h9jzWxWe6ALGdwOGvfJIkYFhxH2Yw4hUC
ZZlbddqZER8oiKbeT+2+skUA9r4hELSg1O0b+8bnutMh7EtlRmk/ongBQIkUVOBH
qEONepXH2k2s4o55ZA8Ry2fSe6UnCfov02V0R6YubhT0DmZWNzF5NClscNE2jy+e
73weEoiwUXVx7OQZWQXbUpSk3DMq9F2tYPVH3XFtblBh0n82PLTHSTooZTp9JYz0
0rij6i0crsijUJiWDgdPciUlYJRuLosk9OxCWV3ipJlgSJI1dLJEfIfuludDqf7i
Zc45TTIH1vd6AHs57oMtopHfoVsXGLj8II3B2ey0OZSdZjzACwgyHiXWnf04OfEQ
aYuay6G1ITTt+4TCDo9/eZ3Us4s/AgM2KEABxBoaR0oNMfvOoUxOqPAdydIoa1io
1aK8+TJDwYQ=
=/Lae
-----END PGP SIGNATURE-----