copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0744 - [OSX] Apple Xcode: Multiple vulnerabilities

Date: 22 March 2016
References: ASB-2015.0079  ESB-2015.2056  ESB-2015.2139  ESB-2015.2358  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0744
          Multiple vulnerabilities have been identified in Xcode
                               22 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple Xcode
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1765 CVE-2015-3187 CVE-2015-3184

Reference:         ASB-2015.0079
                   ESB-2015.2358
                   ESB-2015.2139
                   ESB-2015.2056

Original Bulletin: 
   https://support.apple.com/en-au/HT206172

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-03-21-4 Xcode 7.3

Xcode 7.3 is now available and addresses the following:

otool
Available for:  OS X El Capitan v10.11 and later
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1765 : Proteas of Qihoo 360 Nirvan Team and Will Estes
(@squiffy)

subversion
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious server may be able to execute arbitrary code
Description:  Multiple vulnerabilities existed in subversion versions
prior to 1.7.21, the most serious of which may have led to remote
code execution. These were addressed by updating subversion to
version 1.7.22.
CVE-ID
CVE-2015-3184 : C. Michael Pilato, CollabNet
CVE-2015-3187 : C. Michael Pilato, CollabNet

Xcode 7.0 may be obtained from:
https://developer.apple.com/xcode/downloads/

To check that the Xcode has been updated:

* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "7.3".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJW8JQAAAoJEBcWfLTuOo7tO6gQAJAW+kXp0TuFMDT6xHo2YVIq
OiRdtYYsaQ0vLXHhDFQP+8uXPSz6KnunxKYZhA3JsSIjXZcv+O0Vw9hP/5A3/nj8
vXYCFmVW9m7rse4k7m117PYdPuKuWtAvDU19b7B2/vPsrv1R6C5R+jZj7hi9Vp2T
4Vx4oLeXCAhzpuDNfvtnyI756b8j63si2eSMSIPp+smQl4RKWtEJEAX5yHkDpeyl
cuCHiEbwx4+UomEp5jpOPGjcmohjpTrbBJE8hH/k6W85bBj+rhBPJoBAYafW7nHt
6uokIgZtU59ZEAwC8hme0vzApINfslV1fiJk1HN/rP6Cp+ptdIZGL8zydmzIh7yq
gEnfcEEhD2TTkJYnt22l42ZtCDsGJkFBF/r77EHmYWUJfmR4a4Jismp4sGGPgZ12
OitRfBzojK1+Ah6tkYV2LKIfjstprBTRZdz0XKQtjgAwfgktAalrWiibZs2zBNF5
UfZKAsM3Qc9RBK5pNQpGMlrHQtnFdD74Df4TYRlSuKZRO5DLr0STDeHXQfn4Ti/9
8+ZifqggFuWBfh5es4EFdcpxRRqWI9OKOdgQ0Oc5tXwIyAlOshxNuP3qAgVQzwwd
COicsW/1HsUoaopDuf+bzDcJPL/L9H3SRYfg4S/uv5JOjoaPr0pQC8mUfR25dZAw
cU0NiqyyiqU1H29UaU50
=9aiD
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvDBrX6ZAP0PgtI9AQJkHBAAhR8VfP/LIsrC8LM8k+r3A2lu/WwsiiBU
HcEAdao66LnK+p/iQK4h/eBjs38/r16earaEJkHBeSKagWMRT/wNpO1EsFpB5q7s
EotBmgs9NhWNa8NgjzoqhJPuDcKXSkJTmU/VYcrofdFwmjduFVeVrCJmfOqEXE77
Ny3a7QpD5FF9/jqbP5z73IL2uPjsi8544s+CqdhM/xnntVDV+Bn/M/TK1l1FhUom
4Cch/I57CRZhdWlOBLTkgJppX8+enj/1/sxEJWvykIhL+lf2NdQ9vhPku8FKNPgd
2xZ6MaJYilY/ARmGspdQGB64+8KE44duMv1QsZFE5IkFezlKSXnqp9HJ+JMCsDAd
YwZ0iThaPw3wmN135yF5ZUuknY0zKyfUS7smrFJty4bWvtqcqe/0fzAaystx7wRF
rts1lXlEsLKMt/5JkuMeJ4LBfb8MCmWmfnyye3HLdMHduKrL4HwoNytBrUfUbDWT
M4dsI972gbdtSpY0Q870cfjejmOtPpDRuP4tlsWARAguTsVSuhM86cnzh2Ke2aHW
3+Tf158TDXWtJfgmMl7sp3eaV8nHEfnbLBlwfYd6uEyIo5Dgd8rKIjd0sIlx0Hw2
j1vJhIXLlc0r2XPL3iYZq1VUrMDrtWA0bsD0iaHfEA9x5gb3+8nDKEQQLrEzP4tB
Iv/vd0mdwi0=
=vhJ0
-----END PGP SIGNATURE-----