copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1619 - [OSX] OS X Server: Multiple vulnerabilities

Date: 18 September 2014
References: ESB-2014.0220  ESB-2014.1879  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1619
                  OS X Server 3.2.1 and OS X Server 2.2.3
                             18 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          OS X Server
Publisher:        Apple
Operating System: OS X
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                  Increased Privileges            -- Existing Account            
                  Modify Arbitrary Files          -- Existing Account            
                  Cross-site Scripting            -- Remote with User Interaction
                  Denial of Service               -- Existing Account            
                  Access Confidential Data        -- Existing Account            
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-4424 CVE-2014-4406 CVE-2014-0066
                  CVE-2014-0065 CVE-2014-0064 CVE-2014-0063
                  CVE-2014-0062 CVE-2014-0061 CVE-2014-0060

Reference:        ESB-2014.0220

Comment: This bulletin contains two (2) Apple security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-09-17-5 OS X Server 3.2.1

OS X Server 3.2.1 is now available and addresses the following:

CoreCollaboration
Available for:  OS X Mavericks v10.9.5 or later
Impact:  A remote attacker may be able to execute arbitrary SQL
queries
Description:  A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad

CoreCollaboration
Available for:  OS X Mavericks v10.9.5 or later
Impact:  Visiting a maliciously crafted website may lead to the
execution of arbitrary JavaScript
Description:  A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC

CoreCollaboration
Available for:  OS X Mavericks v10.9.5 or later
Impact:  Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description:  Multiple vulnerabilities existed in PostgreSQL. This
issue was addressed by updating PostgreSQL to version 9.2.7.
CVE-ID
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066


OS X Server 3.2.1 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUGkbmAAoJEBcWfLTuOo7tSBkP/07Yf4OuqTDwFyDQBo84+YXo
1Qu+xK/c2rawndhYn7EE+U+7pxP+2WMpanTW/UQqiDLJ+c98j63JqKBSL3qtB1ew
NKSBNm9sMEyu6sp0bQfpMh8oIWjLga3U+QCM2x0JFOOVJpleMM8N21oZZcHtALKT
CxGHnAxFny1k4xof1kTxfrcH46mroUf8xut1A6UI2G9pv50YPqtsGzEmnV6lRfkb
ZjvRgrZU6CZbJNwj4hx4+F1is0V1mCV7Tg9w9Ydf5d+i/3XFLKYvYyCTErV6CU3T
/d9rfPkQl3tyZsHWQCQ/wG05ahdiv2AM7hw1C/PdMP0ou0cm8ed61T8doD8DA4D0
BkljUTHKxLlZqt7J1tYLi755HE6Glnc/5nmvGiDp9JXtIBG9WxXq7x34eRhtUOZc
XEdBXO8+53tGDdXi5jRNMZ6eFmi2bO8Jp5Di/o9by1ImNZA9pmc9giaPqaAnDirx
NgFbPGsNMYktrNBJ/gAnH1J/MDFOwZTct6O0vQJmkTN3T9ZKythKcMu4J1aPpC8J
aV/0xf01c5kdCxlzxRsI9pn9lNaepEzX0KM0ZatYuDg+SUFZ93AGYlIBUE47bhbw
XcEsswCPVbsied0sqaqW75rPnqUwm5zYrEDpxOsva9Y754/ZdJwpjEPLkwp9Ptpk
onRbSLPgIJk0BnObVNoY
=HQ9W
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-09-17-6 OS X Server 2.2.3

OS X Server 2.2.3 is now available and addresses the following:

CoreCollaboration
Available for:  OS X Mountain Lion v10.8.5
Impact:  A remote attacker may be able to execute arbitrary SQL
queries
Description:  A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad

OS X Server 2.2.3 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUGkbuAAoJEBcWfLTuOo7tYVMQAKaz8CbU1iJrm+5fvLPnXrBF
eWp0tYCDPcoj1tUJ79+XJplJHsZ2Ezb0bQ8gvNSRLgT32Dw4gtRPmZ9c+/UHMUV6
rbSeF73x4IC6yF56ghbKjTkFJguniaS/k6KWCYhqU2Ew/qya2nJdj/RGS5AICQb3
HVg50yW+jRb5geLOL/+Sd7R+zjg3OZb+Z7h+/ynCI53tGgVB9LzslrI+thNAA2Fz
mAsHtF1Fx6l9F+lbCygJj6sNoBxDJPadBlPPjR7E1C06cCoxlARdz2K74qFONt6+
/zSbWofuszvN23HmY9+JYmIQ7x0wi9Ff7W18Ai5nN2/GCLzOM/lJKHKY2tTG781h
R9g1bX1Q0mB9e+RYqmgwSvdtijFXjtOqNza8X9fBHP5bzArucMaFrhUqCEeSqSfs
6hijGHJzK/buNdIzP2wBceA/EXRAfqUZi8r4FTGLQMqZvath3nhrEP+T2LezBCwS
7foYeCo1AXp6oQDgKA0QUflFZg6eZlLFPngvFQn/7ko+I/K1+RzZwbiwS+61pNva
AaoSTeuzeYKuWIFQU80I+mZ1bwqr60Ns9Q3AtIJlKlu/3+l+G3eOW397SqtqbPdh
jRAsmOpcA6w5afjT1yIlcGis/k3H7VAvuVNu6ZZ6JGdXD+q1O4K9GQA2vqxgBLO8
w5/NX6or7DEXSvpwiLND
=s9TT
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVBqAixLndAQH1ShLAQJL0hAAjf9Ix+1ErgI9apAAVjOY4PmwC+Dr/UOT
t/Rb4sjtvEnUuqEWx7MRIdKyZNv+KOcOWIghiZmJaN7TZXrkL7ZUyw4ZQXD/g4XR
Gp4s58uFTxhWeC3PVXuMzeh5EDGUKMnbUZEze5qDKcvoXq2FD/oCoFupX9mji0qM
QsVV545AQ3ZAwK3jRmIQC9/SDRT9458omPym6aVzIl92GOCSXtsENarbp9Z5uAlg
8Z9g0xsSRVtQJbvXOrU1g8o7vX4bJIyQ7bDGMmozRgU4e5X8Wcz01WFopEtD3wct
BryUs+gomQbEybATOiFbR4ZeSyWoSKi/XR673agBg9CsR+wop8sjjdVpdTmUmV2M
dIS2kf1Hw2c3YATLJMnAF6eFEten0TEW/ZNaHZR2l5Nf0QBBm+1UC6mk/hBpNsdI
Cvh1T2fmhKUq3WDexgnKp72K9tKx3pS6qO1ayEZ811TZzw9CETyEU+Ot9J3LK5v0
qCoReTvycDEI4CUysheN2pOJ3NT2JjobJVPZYtEGyZrZFRW8kMcYhUZ7es3sLMa5
aX4vky0PFhxpK5ymnkhCYcq7xvc2Y7UXft3Kqq/CNSYrd8dujoJfQbc/qASc2qph
RHZF/3oAewSdI+moaI2qT7kFhqlr4pQlDHiTUDGv9pDjz82Jh+fHMNIg0O4Pc3sI
lOhTDmiGKsI=
=6xNC
-----END PGP SIGNATURE-----