-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2015-10-21-4 OS X El Capitan 10.11.1 and Security Update
2015-007

OS X El Capitan 10.11.1 and Security Update 2015-007 are now
available and address the following:

Accelerate Framework
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in the Accelerate
Framework in multi-threading mode. This issue was addressed through
improved accessor element validation and improved object locking.
CVE-ID
CVE-2015-5940 : Apple

apache_mod_php
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Multiple vulnerabilities in PHP
Description:  Multiple vulnerabilities existed in PHP versions prior
to 5.5.29 and 5.4.45. These were addressed by updating PHP to
versions 5.5.29 and 5.4.45.
CVE-ID
CVE-2015-0235
CVE-2015-0273
CVE-2015-6834
CVE-2015-6835
CVE-2015-6836
CVE-2015-6837
CVE-2015-6838

ATS
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in ATS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-6985 : John Villamil (@day6reak), Yahoo Pentest Team

Audio
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code
Description:  An uninitialized memory issue existed in coreaudiod.
This issue was addressed through improved memory initialization.
CVE-ID
CVE-2015-7003 : Mark Brand of Google Project Zero

Audio
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Playing a malicious audio file may lead to arbitrary code
execution
Description:  Multiple memory corruption issues existed in the
handling of audio files. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5933 : Apple
CVE-2015-5934 : Apple

Bom
Available for:  OS X El Capitan 10.11
Impact:  Unpacking a maliciously crafted archive may lead to
arbitrary code execution
Description:  A file traversal vulnerability existed in the handling
of CPIO archives. This issue was addressed through improved
validation of metadata.
CVE-ID
CVE-2015-7006 : Mark Dowd of Azimuth Security

CFNetwork
Available for:  OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to cookies
being overwritten
Description:  A parsing issue existed when handling cookies with
different letter casing. This issue was addressed through improved
parsing.
CVE-ID
CVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of
Tsinghua University, Jian Jiang of University of California,
Berkeley, Haixin Duan of Tsinghua University and International
Computer Science Institute, Shuo Chen of Microsoft Research Redmond,
Tao Wan of Huawei Canada, Nicholas Weaver of International Computer
Science Institute and University of California, Berkeley, coordinated
via CERT/CC

configd
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to elevate privileges
Description:  A heap based buffer overflow issue existed in the DNS
client library. A malicious application with the ability to spoof
responses from the local configd service may have been able to cause
arbitrary code execution in DNS clients.
CVE-ID
CVE-2015-7015 : PanguTeam

CoreGraphics
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in
CoreGraphics. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5925 : Apple
CVE-2015-5926 : Apple

CoreText
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6992 : John Villamil (@day6reak), Yahoo Pentest Team

CoreText
Available for:  OS X Yosemite v10.10.5 and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6975 : John Villamil (@day6reak), Yahoo Pentest Team

CoreText
Available for:  OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-7017 : John Villamil (@day6reak), Yahoo Pentest Team

CoreText
Available for:  OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-5944 : John Villamil (@day6reak), Yahoo Pentest Team

Disk Images
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6995 : Ian Beer of Google Project Zero

EFI
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  An attacker can exercise unused EFI functions
Description:  An issue existed with EFI argument handling. This was
addressed by removing the affected functions.
CVE-ID
CVE-2015-7035 : Corey Kallenberg, Xeno Kovah, John Butterworth, and
Sam Cornwell of The MITRE Corporation, coordinated via CERT/CC

File Bookmark
Available for:  OS X El Capitan 10.11
Impact:  Browsing to a folder with malformed bookmarks may cause
unexpected application termination
Description:  An input validation issue existed in parsing bookmark
metadata. This issue was addressed through improved validation
checks.
CVE-ID
CVE-2015-6987 : Luca Todesco (@qwertyoruiop)

FontParser
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-5927 : Apple
CVE-2015-5942
CVE-2015-6976 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6977 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero
Day Initiative
CVE-2015-6991 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6993 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7009 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7010 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7018 : John Villamil (@day6reak), Yahoo Pentest Team

FontParser
Available for:  OS X El Capitan 10.11
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6990 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7008 : John Villamil (@day6reak), Yahoo Pentest Team

Grand Central Dispatch
Available for:  OS X Yosemite v10.10.5 and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted package may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the handling of
dispatch calls. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6989 : Apple

Graphics Drivers
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to cause unexpected system
termination or read kernel memory
Description:  Multiple out of bounds read issues existed in the
NVIDIA graphics driver. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-7019 : Ian Beer of Google Project Zero
CVE-2015-7020 : Moony Li of Trend Micro

Graphics Drivers
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7021 : Moony Li of Trend Micro

ImageIO
Available for:  OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
Impact:  Processing a maliciously crafted image file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
parsing of image metadata. These issues were addressed through
improved metadata validation.
CVE-ID
CVE-2015-5935 : Apple
CVE-2015-5938 : Apple

ImageIO
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Processing a maliciously crafted image file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
parsing of image metadata. These issues were addressed through
improved metadata validation.
CVE-ID
CVE-2015-5936 : Apple
CVE-2015-5937 : Apple
CVE-2015-5939 : Apple

IOAcceleratorFamily
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in
IOAcceleratorFamily. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6996 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6974 : Luca Todesco (@qwertyoruiop)

Kernel
Available for:  OS X Yosemite v10.10.5
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A type confusion issue existed in the validation of
Mach tasks. This issue was addressed through improved Mach task
validation.
CVE-ID
CVE-2015-5932 : Luca Todesco (@qwertyoruiop), Filippo Bigarella

Kernel
Available for:  OS X El Capitan 10.11
Impact:  An attacker with a privileged network position may be able
to execute arbitrary code
Description:  An uninitialized memory issue existed in the kernel.
This issue was addressed through improved memory initialization.
CVE-ID
CVE-2015-6988 : The Brainy Code Scanner (m00nbsd)

Kernel
Available for:  OS X El Capitan 10.11
Impact:  A local application may be able to cause a denial of service
Description:  An issue existed when reusing virtual memory. This
issue was addressed through improved validation.
CVE-ID
CVE-2015-6994 : Mark Mentovai of Google Inc.

libarchive
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  A malicious application may be able to overwrite arbitrary
files
Description:  An issue existed within the path validation logic for
symlinks. This issue was addressed through improved path
sanitization.
CVE-ID
CVE-2015-6984 : Christopher Crone of Infinit, Jonathan Schleifer

MCX Application Restrictions
Available for:  OS X Yosemite v10.10.5 and OS X El Capitan 10.11
Impact:  A developer-signed executable may acquire restricted
entitlements
Description:  An entitlement validation issue existed in Managed
Configuration. A developer-signed app could bypass restrictions on
use of restricted entitlements and elevate privileges. This issue was
addressed through improved provisioning profile validation.
CVE-ID
CVE-2015-7016 : Apple

Net-SNMP
Available for:  OS X El Capitan 10.11
Impact:  An attacker in a privileged network position may be able to
cause a denial of service
Description:  Multiple issues existed in netsnmp version 5.6. These
issues were addressed by using patches affecting OS X from upstream.
CVE-ID
CVE-2012-6151
CVE-2014-3565

OpenGL
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan 10.11
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in OpenGL. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5924 : Apple

OpenSSH
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to conduct impersonation attacks
Description:  A privilege separation issue existed in PAM support.
This issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-6563 : Moritz Jodeit of Blue Frost Security GmbH

Sandbox
Available for:  OS X El Capitan 10.11
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  An input validation issue existed when handling NVRAM
parameters. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5945 : Rich Trouton (@rtrouton), Howard Hughes Medical
Institute, Apple

Script Editor
Available for:  OS X El Capitan 10.11
Impact:  An attacker may trick a user into running arbitrary
AppleScript
Description:  In some circumstances, Script Editor did not ask for
user confirmation before executing AppleScripts. This issue was
addressed by prompting for user confirmation before executing
AppleScripts.
CVE-ID
CVE-2015-7007 : Joe Vennix of Rapid7

Security
Available for:  OS X El Capitan 10.11
Impact:  A malicious application may be able to overwrite arbitrary
files
Description:  A double free issue existed in the handling of
AtomicBufferedFile descriptors. This issue was addressed through
improved validation of AtomicBufferedFile descriptors.
CVE-ID
CVE-2015-6983 : David Benjamin, Greg Kerr, Mark Mentovai and Sergey
Ulanov from the Chrome Team

SecurityAgent
Available for:  OS X El Capitan 10.11
Impact:  A malicious application can programmatically control
keychain access prompts
Description:  A method existed for applications to create synthetic
clicks on keychain prompts. This was addressed by disabling synthetic
clicks for keychain access windows.
CVE-ID
CVE-2015-5943

Installation note:

OS X El Capitan v10.11.1 includes the security content of
Safari 9.0.1: https://support.apple.com/kb/HT205377

OS X El Capitan 10.11.1 and Security Update 2015-007 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWJuKsAAoJEBcWfLTuOo7t8e0P/igVHKDXeLNib2eEzbS2BMVV
Ee968BgEDw1xnHK8zzh3bbRNxxAUT9lwe8RuSYECfp8sUYySb51/VIWpmidewsqB
az7mJ4Gohldppejc5tykHDoTYesQL7iySLn74PdxZfZXbtz2EGJK19cA6hIHcO5x
ZiMCbJzTaAOylKRQRRi3kMdNWEzxbtm90247vNx/zMSjs1bhGlQbJsCVDmX/Q9uH
Xja9aPCHDfaQueTw5idbXwT+Y/+I9ytBlL5JXVrjRUDYCtuewC4DNsQxZY0qcDyE
A7/0G7iYW5vOECNhpoLA0+1MbdHxJXhwJtmIKX8zucYqe/Vr4j41oGey/HJW55ER
USJ2RBpMtGhDEolyvxz7FlSPYOIpp05mwMB0GWQWAmkWDAxnagkQm9xwKBMt4eq4
CNdI0YaX0iPPWYIkI3HpZHdzuwbE5b053cw1hLKc0OVQBiqLUQxe3W5s64ZqTSe0
whlm9lt/9EUwyfXHEiXTYi/d+CF8+JthY4ieXRJ4mwz77udafmgA5Pbl71SqB8pE
7TBByuCOFdou6JmdJPahLDxoGRA+i7Z+a8Myn4WtbemkjrO9iZ/VsdAdl/Db+7cz
rEgSPjelEC5z5WxQspiuohxU1NkDnMgWm2Tnx+pFBOfZMheE4xnTfve3vqY+gQdN
4GbuRXld4PbxeDdel0Nk
=snJ4
-----END PGP SIGNATURE-----