-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004

OS X Yosemite 10.10.3 and Security Update 2015-004 are now available
and address the following:

Admin Framework
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A process may gain admin privileges without properly
authenticating
Description:  An issue existed when checking XPC entitlements. This
issue was addressed with improved entitlement checking.
CVE-ID
CVE-2015-1130 : Emil Kvarnhammar at TrueSec

apache
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Multiple vulnerabilities in Apache
Description:  Multiple vulnerabilities existed in Apache versions
prior to 2.4.10 and 2.2.29, including one that may allow a remote
attacker to execute arbitrary code. These issues were addressed by
updating Apache to versions 2.4.10 and 2.2.29
CVE-ID
CVE-2013-0118
CVE-2013-5704
CVE-2013-6438
CVE-2014-0098
CVE-2014-0117
CVE-2014-0118
CVE-2014-0226
CVE-2014-0231
CVE-2014-3523

ATS
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  Multiple input validation issues existed in fontd.
These issues were addressed through improved input validation.
CVE-ID
CVE-2015-1131 : Ian Beer of Google Project Zero
CVE-2015-1132 : Ian Beer of Google Project Zero
CVE-2015-1133 : Ian Beer of Google Project Zero
CVE-2015-1134 : Ian Beer of Google Project Zero
CVE-2015-1135 : Ian Beer of Google Project Zero

Certificate Trust Policy
Impact:  Update to the certificate trust policy
Description:  The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.

CFNetwork HTTPProtocol
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  Cookies belonging to one origin may be sent to another
origin
Description:  A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller

CFNetwork Session
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  Authentication credentials may be sent to a server on
another origin
Description:  A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)

CFURL
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088 : Luigi Galli

CoreAnimation
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A use-after-free issue existed in CoreAnimation. This
issue was addressed through improved mutex management.
CVE-ID
CVE-2015-1136 : Apple

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld

Graphics Driver
Available for:  OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A NULL pointer dereference existed in NVIDIA graphics
driver's handling of certain IOService userclient types. This issue
was addressed through additional context validation.
CVE-ID
CVE-2015-1137 :
Frank Graziano and John Villamil of the Yahoo Pentest Team

Hypervisor
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A local application may be able to cause a denial of service
Description:  An input validation issue existed in the hypervisor
framework. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-1138 : Izik Eidus and Alex Fishman

ImageIO
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Processing a maliciously crafted .sgi file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the handling of
.sgi files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-1139 : Apple

IOHIDFamily
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A malicious HID device may be able to cause arbitrary code
execution
Description:  A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1140 : lokihardt@ASRT working with HP's Zero Day Initiative,
Luca Todesco

IOHIDFamily
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to determine kernel memory layout
Description:  An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  A user may be able to execute arbitrary code with system
privileges
Description:  An out-of-bounds write issue exited in the IOHIDFamily
driver. The issue was addressed through improved input validation.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech

Kernel
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to cause unexpected system shutdown
Description:  An issue existed in the handling of virtual memory
operations within the kernel. The issue is fixed through improved
handling of the mach_vm_read operation.
CVE-ID
CVE-2015-1141 : Ole Andre Vadla Ravnas of www.frida.re

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to cause a system denial of service
Description:  A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local application may escalate privileges using a
compromised service intended to run with reduced privileges
Description:  setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.

Kernel
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description:  ICMP redirects were enabled by default on OS X. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs

Kernel
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  An attacker with a privileged network position may be able
to cause a denial of service
Description:  A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to cause unexpected system
termination or read kernel memory
Description:  A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A remote attacker may be able to bypass network filters
Description:  The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative

Kernel
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A remote attacker may be able to cause a denial of service
Description:  A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io

LaunchServices
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to cause the Finder to crash
Description:  An input validation issue existed in LaunchServices's
handling of application localization data. This issue was addressed
through improved validation of localization data.
CVE-ID
CVE-2015-1142

LaunchServices
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A type confusion issue existed in LaunchServices's
handling of localized strings. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2015-1143 : Apple

libnetcore
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description:  A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.

ntp
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A remote attacker may brute force ntpd authentication keys
Description:  The config_auth function in ntpd generated a weak key
when an authentication key was not configured. This issue was
addressed by improved key generation.
CVE-ID
CVE-2014-9298

OpenLDAP
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A remote unauthenticated client may be able to cause a
denial of service
Description:  Multiple input validation issues existed in OpenLDAP.
These issues were addressed by improved input validation.
CVE-ID
CVE-2015-1545 : Ryan Tandy
CVE-2015-1546 : Ryan Tandy

OpenSSL
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Multiple vulnerabilities in OpenSSL
Description:  Multiple vulnerabilities existed in OpenSSL 0.9.8zc,
including one that may allow an attacker to intercept connections to
a server that supports export-grade ciphers. These issues were
addressed by updating OpenSSL to version 0.9.8zd.
CVE-ID
CVE-2014-3569
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8275
CVE-2015-0204

Open Directory Client
Available for:  OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A password might be sent unencrypted over the network when
using Open Directory from OS X Server
Description:  If an Open Directory client was bound to an OS X Server
but did not install the certificates of the OS X Server, and then a
user on that client changed their password, the password change
request was sent over the network without encryption. This issue was
addressed by having the client require encryption for this case.
CVE-ID
CVE-2015-1147 : Apple

PHP
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Multiple vulnerabilities in PHP
Description:  Multiple vulnerabilities existed in PHP versions prior
to 5.3.29, 5.4.38, and 5.5.20, including one which may have led to
arbitrary code execution. This update addresses the issues by
updating PHP to versions 5.3.29, 5.4.38, and 5.5.20.
CVE-ID
CVE-2013-6712
CVE-2014-0207
CVE-2014-0237
CVE-2014-0238
CVE-2014-2497
CVE-2014-3478
CVE-2014-3479
CVE-2014-3480
CVE-2014-3487
CVE-2014-3538
CVE-2014-3587
CVE-2014-3597
CVE-2014-3668
CVE-2014-3669
CVE-2014-3670
CVE-2014-3710
CVE-2014-3981
CVE-2014-4049
CVE-2014-4670
CVE-2014-4698
CVE-2014-5120

QuickLook
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein

SceneKit
Available for:  OS X Mountain Lion v10.8.5
Impact:  Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description:  A heap buffer overflow existed in SceneKit's handling
of Collada files. Viewing a maliciously crafted Collada file may have
led to arbitrary code execution. This issue was addressed through
improved validation of accessor elements.
CVE-ID
CVE-2014-8830 : Jose Duart of Google Security Team

Screen Sharing
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  A user's password may be logged to a local file
Description:  In some circumstances, Screen Sharing may log a user's
password that is not readable by other users on the system. This
issue was addressed by removing logging of credential.
CVE-ID
CVE-2015-1148 : Apple

Security - Code Signing
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  Tampered applications may not be prevented from launching
Description:  Applications containing specially crafted bundles may
have been able to launch without a completely valid signature. This
issue was addressed by adding additional checks.
CVE-ID
CVE-2015-1145
CVE-2015-1146

UniformTypeIdentifiers
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A buffer overflow existed in the way Uniform Type
Identifiers were handled. This issue was addressed with improved
bounds checking.
CVE-ID
CVE-2015-1144 : Apple

WebKit
Available for:  OS X Yosemite v10.10 to v10.10.2
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in WebKit. This
issues was addressed through improved memory handling.
CVE-ID
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative

Security Update 2015-004 (available for OS X Mountain Lion v10.8.5
and OS X Mavericks v10.9.5) also addresses an issue caused by the fix
for CVE-2015-1067 in Security Update 2015-002. This issue prevented
Remote Apple Events clients on any version from connecting to the
Remote Apple Events server. In default configurations, Remote Apple
Events is not enabled.

OS X Yosemite 10.10.3 includes the security content of Safari 8.0.5.
https://support.apple.com/en-us/HT204658

OS X Yosemite 10.10.3 and Security Update 2015-004 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJVJKj2AAoJEBcWfLTuOo7tDh4QAK0LxfwMRKcdOXOKpXsRz6lg
lhZ+CLVcSepq8qBkFQ74f3B5CuhxD0IGQPaAuSXl51tWYdfN+92tkbmyZ9k8901l
+I0vw6upeE+oqRnGtSRzq68UhcARbdV8V1+C0Xl3IIuuHc+xlEgvklDhF9Pc8XM6
DudGiVNqt6MOqd5Oc4s4FFF0nnpnyG9+UJem3mi4Ee88PwI4x1Hev7utPPmaPDzj
cjkVeislko3QArNJxtBpkYudErA4eR5OX8Tdf12jAmPTtjrXUb3VigEf78Nna0RW
kHTOGdB5EZ+YFZ8KlyIQlENBjTtI8CGdCF4/S/2xDN83NTRsimd5Y7LSjdd0uANo
pqxAc3Gzn5xngWF1Qbb6V+XZBfz5NoeTq5BXBB5OHz4PSGaQuMsBA2RYFMzNLqWv
D/T5U1JtzRLALt0lYAz63B0OhW7KXeLI9oer1Vo4wWF9O9cUFyuSI4JU5uYLQpJX
kEpSFt4YPFFxMnlzCLzLkmVGax4w9M/tRHYeSKAnRlnsoPBtIGFItlNZE2RduD/R
5n2APoJa3banQ8miycGORYP3WsktDRZzBy+2QPWuz8sE3AvAkO9xWp8PrQBkqf/b
6CIG5UkCYITG2uzBXqnGbfDiEDvBLNN1Yq0ZZI23iYRxrdW0I0pv1CHio354q12G
vVE37tYUU4PnLfwlcazq
=MOsT
-----END PGP SIGNATURE-----