Operating System:

[Apple iOS]

Published:

11 December 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.4631 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4631
                                Xcode 11.3
                             11 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xcode
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8840  

Original Bulletin: 
   https://support.apple.com/kb/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2019-12-10-7 Xcode 11.3

Xcode 11.3 is now available and addresses the following:

ld64
Available for: macOS Mojave 10.14.4 and later
Impact: Compiling with untrusted sources may lead to arbitrary code
execution with user privileges
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8840: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team

Additional recognition

Clang
We would like to acknowledge an anonymous researcher for their
assistance.

Installation note:

Xcode 11.3 may be obtained from:

https://developer.apple.com/xcode/downloads/

To check that the Xcode has been updated:

* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "11.3".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfCEnGaOgq3Tt24GAQiafQ//dsAU5SHZX/uWUUP5Xt5x65YsaDV4G6g6
gDCVM2bIlv/BzCXVz7JEbP8tGwg1Xmc+jr4rWQA2Tg0OZ0x4PqBA3gKh8+gtw9Ox
AB6MFMkwQxt5pSYAY6ZWUY8bPY2RHtLUljUsCJzN/ZF1Gp3uL5CGxViprZAwSBj7
VmkWM9q6GaigfWlg2Uo9HsfpoyqbfZn0tIG3n6Z2o2V002lvZZzdu3U6CDzP/DRh
QAhHD11M9m+KwwtRLffGY0WYQQ+uzZI9ctZ8im35dUdWJU4AKy8BWlWvAme+ym4c
M11lVAtfwO4tuVGn9t1fhL4blR5jPMXxjKl0uzK6emiAZCf5c/lMqYr2ILsWZzjq
jbAEPRQ8zKdmlC3NNovwr3eIxixmpUGSBZ6U6PuPlHvwI4mSjF1JqO2zXPDxcVt5
p99W33AWsllbK6zkTrKM5f3aRp3CP9d7KHRz+uOkOg0m84aAeTnrYbTg51SOgWDQ
BcFHBGxoiV6V/vjlG2Y2j384SevidtotwvcmHKOkEBMfNMnCpeDgAnXC1/fgyNuH
MfGP4992bjI3qxfxnTJTw9RBLg5vZei3rUj2P1d5C3LKQOo/XUR8qjJrmTpBh4Gr
67mrr8DT2ZvXWoSr9wrFvbixJ6WGEtYDEJMCH9g7GHD+4rzmx1F6VlacAZUuARfP
O4TJwnQ7AOc=
=otum
-----END PGP SIGNATURE-----