- Subject: APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006
- From: Apple Product Security
- Date: Thu, 13 Aug 2015 10:32:17 -0700
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update2015-006OS X Yosemite v10.10.5 and Security Update 2015-006 is now availableand addresses the following:apacheAvailable for: OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in Apache 2.4.16, the mostserious of which may allow a remote attacker to cause a denial ofservice.Description: Multiple vulnerabilities existed in Apache versionsprior to 2.4.16. These were addressed by updating Apache to version2.4.16.CVE-IDCVE-2014-3581CVE-2014-3583CVE-2014-8109CVE-2015-0228CVE-2015-0253CVE-2015-3183CVE-2015-3185apache_mod_phpAvailable for: OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in PHP 5.5.20, the mostserious of which may lead to arbitrary code execution.Description: Multiple vulnerabilities existed in PHP versions priorto 5.5.20. These were addressed by updating Apache to version 5.5.27.CVE-IDCVE-2015-2783CVE-2015-2787CVE-2015-3307CVE-2015-3329CVE-2015-3330CVE-2015-4021CVE-2015-4022CVE-2015-4024CVE-2015-4025CVE-2015-4026CVE-2015-4147CVE-2015-4148Apple ID OD Plug-inAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able change the password of alocal userDescription: In some circumstances, a state management issue existedin password authentication. The issue was addressed through improvedstate management.CVE-IDCVE-2015-3799 : an anonymous researcher working with HP's Zero DayInitiativeAppleGraphicsControlAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to determine kernelmemory layoutDescription: An issue existed in AppleGraphicsControl which couldhave led to the disclosure of kernel memory layout. This issue wasaddressed through improved bounds checking.CVE-IDCVE-2015-5768 : JieTao Yang of KeenTeamBluetoothAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary code withsystem privilegesDescription: A memory corruption issue existed inIOBluetoothHCIController. This issue was addressed through improvedmemory handling.CVE-IDCVE-2015-3779 : Teddy Reed of Facebook SecurityBluetoothAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to determine kernelmemory layoutDescription: A memory management issue could have led to thedisclosure of kernel memory layout. This issue was addressed withimproved memory management.CVE-IDCVE-2015-3780 : Roberto Paleari and Aristide Fattori of EmazeNetworksBluetoothAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious app may be able to access notifications fromother iCloud devicesDescription: An issue existed where a malicious app could access aBluetooth-paired Mac or iOS device's Notification Centernotifications via the Apple Notification Center Service. The issueaffected devices using Handoff and logged into the same iCloudaccount. This issue was resolved by revoking access to the AppleNotification Center Service.CVE-IDCVE-2015-3786 : Xiaolong Bai (Tsinghua University), System SecurityLab (Indiana University), Tongxin Li (Peking University), XiaoFengWang (Indiana University)BluetoothAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: An attacker with privileged network position may be able toperform denial of service attack using malformed Bluetooth packetsDescription: An input validation issue existed in parsing ofBluetooth ACL packets. This issue was addressed through improvedinput validation.CVE-IDCVE-2015-3787 : Trend MicroBluetoothAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: Multiple buffer overflow issues existed in blued'shandling of XPC messages. These issues were addressed throughimproved bounds checking.CVE-IDCVE-2015-3777 : mitp0sh of [pdx]bootpAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious Wi-Fi network may be able to determine networksa device has previously accessedDescription: Upon connecting to a Wi-Fi network, iOS may havebroadcast MAC addresses of previously accessed networks via the DNAv4protocol. This issue was addressed through disabling DNAv4 onunencrypted Wi-Fi networks.CVE-IDCVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,University of Oxford (on the EPSRC Being There project)CloudKitAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to access the iClouduser record of a previously signed in userDescription: A state inconsistency existed in CloudKit when signingout users. This issue was addressed through improved state handling.CVE-IDCVE-2015-3782 : Deepkanwal Plaha of University of TorontoCoreMedia PlaybackAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Viewing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code executionDescription: Memory corruption issues existed in CoreMedia Playback.These were addressed through improved memory handling.CVE-IDCVE-2015-5777 : AppleCVE-2015-5778 : AppleCoreTextAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted font file may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in the processing offont files. This issue was addressed through improved inputvalidation.CVE-IDCVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest TeamCoreTextAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted font file may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in the processing offont files. This issue was addressed through improved inputvalidation.CVE-IDCVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest TeamcurlAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities in cURL and libcurl prior to7.38.0, one of which may allow remote attackers to bypass the SameOrigin Policy.Description: Multiple vulnerabilities existed in cURL and libcurlprior to 7.38.0. These issues were addressed by updating cURL toversion 7.43.0.CVE-IDCVE-2014-3613CVE-2014-3620CVE-2014-3707CVE-2014-8150CVE-2014-8151CVE-2015-3143CVE-2015-3144CVE-2015-3145CVE-2015-3148CVE-2015-3153Data Detectors EngineAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Processing a sequence of unicode characters can lead to anunexpected application termination or arbitrary code executionDescription: Memory corruption issues existed in processing ofUnicode characters. These issues were addressed through improvedmemory handling.CVE-IDCVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)Date & Time pref paneAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Applications that rely on system time may have unexpectedbehaviorDescription: An authorization issue existed when modifying thesystem date and time preferences. This issue was addressed withadditional authorization checks.CVE-IDCVE-2015-3757 : Mark S C SmithDictionary ApplicationAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: An attacker with a privileged network position may be ableto intercept users' Dictionary app queriesDescription: An issue existed in the Dictionary app, which did notproperly secure user communications. This issue was addressed bymoving Dictionary queries to HTTPS.CVE-IDCVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google SecurityTeamDiskImagesAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted DMG file may lead to anunexpected application termination or arbitrary code execution withsystem privilegesDescription: A memory corruption issue existed in parsing ofmalformed DMG images. This issue was addressed through improvedmemory handling.CVE-IDCVE-2015-3800 : Frank Graziano of the Yahoo Pentest TeamdyldAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary code withsystem privilegesDescription: A path validation issue existed in dyld. This wasaddressed through improved environment sanitization.CVE-IDCVE-2015-3760 : beist of grayhash, Stefan EsserFontParserAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted font file may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in the processing offont files. This issue was addressed through improved inputvalidation.CVE-IDCVE-2015-3804 : AppleCVE-2015-5775 : AppleFontParserAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted font file may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in the processing offont files. This issue was addressed through improved inputvalidation.CVE-IDCVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest TeamgroffAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Multiple issues in pdfroffDescription: Multiple issues existed in pdfroff, the most serious ofwhich may allow arbitrary filesystem modification. These issues wereaddressed by removing pdfroff.CVE-IDCVE-2009-5044CVE-2009-5078ImageIOAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted TIFF image may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in the processing ofTIFF images. This issue was addressed through improved boundschecking.CVE-IDCVE-2015-5758 : AppleImageIOAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Visiting a maliciously crafted website may result in thedisclosure of process memoryDescription: An uninitialized memory access issue existed inImageIO's handling of.png and TIFF images. Visiting a maliciouswebsite may result in sending data from process memory to thewebsite. This issue is addressed through improved memoryinitialization and additional validation of.png and TIFF images.CVE-IDCVE-2015-5781 : Michal ZalewskiCVE-2015-5782 : Michal ZalewskiInstall Framework LegacyAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute arbitrarycode with root privilegesDescription: An issue existed in how Install.framework's 'runner'binary dropped privileges. This issue was addressed through improvedprivilege management.CVE-IDCVE-2015-5784 : Ian Beer of Google Project ZeroInstall Framework LegacyAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute arbitrarycode with system privilegesDescription: A race condition existed inInstall.framework's 'runner' binary that resulted inprivileges being incorrectly dropped. This issue was addressedthrough improved object locking.CVE-IDCVE-2015-5754 : Ian Beer of Google Project ZeroIOFireWireFamilyAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary code withsystem privilegesDescription: Memory corruption issues existed in IOFireWireFamily.These issues were addressed through additional type input validation.CVE-IDCVE-2015-3769 : Ilja van SprundelCVE-2015-3771 : Ilja van SprundelCVE-2015-3772 : Ilja van SprundelIOGraphicsAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute arbitrarycode with system privilegesDescription: A memory corruption issue existed in IOGraphics. Thisissue was addressed through additional type input validation.CVE-IDCVE-2015-3770 : Ilja van SprundelCVE-2015-5783 : Ilja van SprundelIOHIDFamilyAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary code withsystem privilegesDescription: A buffer overflow issue existed in IOHIDFamily. Thisissue was addressed through improved memory handling.CVE-IDCVE-2015-5774 : TaiG Jailbreak TeamKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to determine kernelmemory layoutDescription: An issue existed in the mach_port_space_info interface,which could have led to the disclosure of kernel memory layout. Thiswas addressed by disabling the mach_port_space_info interface.CVE-IDCVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,@PanguTeamKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute arbitrarycode with system privilegesDescription: An integer overflow existed in the handling of IOKitfunctions. This issue was addressed through improved validation ofIOKit API arguments.CVE-IDCVE-2015-3768 : Ilja van SprundelKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to cause a system denial of serviceDescription: A resource exhaustion issue existed in the fasttrapdriver. This was addressed through improved memory handling.CVE-IDCVE-2015-5747 : Maxime VILLARD of m00nbsdKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to cause a system denial of serviceDescription: A validation issue existed in the mounting of HFSvolumes. This was addressed by adding additional checks.CVE-IDCVE-2015-5748 : Maxime VILLARD of m00nbsdKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute unsigned codeDescription: An issue existed that allowed unsigned code to beappended to signed code in a specially crafted executable file. Thisissue was addressed through improved code signature validation.CVE-IDCVE-2015-3806 : TaiG Jailbreak TeamKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A specially crafted executable file could allow unsigned,malicious code to executeDescription: An issue existed in the way multi-architectureexecutable files were evaluated that could have allowed unsigned codeto be executed. This issue was addressed through improved validationof executable files.CVE-IDCVE-2015-3803 : TaiG Jailbreak TeamKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute unsigned codeDescription: A validation issue existed in the handling of Mach-Ofiles. This was addressed by adding additional checks.CVE-IDCVE-2015-3802 : TaiG Jailbreak TeamCVE-2015-3805 : TaiG Jailbreak TeamKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted plist may lead to anunexpected application termination or arbitrary code execution withsystem privilegesDescription: A memory corruption existed in processing of malformedplists. This issue was addressed through improved memory handling.CVE-IDCVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein(@jollyjinx) of Jinx GermanyKernelAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary code withsystem privilegesDescription: A path validation issue existed. This was addressedthrough improved environment sanitization.CVE-IDCVE-2015-3761 : AppleLibcAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted regular expression may leadto an unexpected application termination or arbitrary code executionDescription: Memory corruption issues existed in the TRE library.These were addressed through improved memory handling.CVE-IDCVE-2015-3796 : Ian Beer of Google Project ZeroCVE-2015-3797 : Ian Beer of Google Project ZeroCVE-2015-3798 : Ian Beer of Google Project ZeroLibinfoAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: A remote attacker may be able to cause unexpectedapplication termination or arbitrary code executionDescription: Memory corruption issues existed in handling AF_INET6sockets. These were addressed by improved memory handling.CVE-IDCVE-2015-5776 : ApplelibpthreadAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute arbitrarycode with system privilegesDescription: A memory corruption issue existed in handling syscalls.This issue was addressed through improved lock state checking.CVE-IDCVE-2015-5757 : Lufeng Li of Qihoo 360libxml2Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in libxml2 versions priorto 2.9.2, the most serious of which may allow a remote attacker tocause a denial of serviceDescription: Multiple vulnerabilities existed in libxml2 versionsprior to 2.9.2. These were addressed by updating libxml2 to version2.9.2.CVE-IDCVE-2012-6685 : Felix Groebert of GoogleCVE-2014-0191 : Felix Groebert of Googlelibxml2Available for: OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted XML document may lead todisclosure of user informationDescription: A memory access issue existed in libxml2. This wasaddressed by improved memory handlingCVE-IDCVE-2014-3660 : Felix Groebert of Googlelibxml2Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted XML document may lead todisclosure of user informationDescription: A memory corruption issue existed in parsing of XMLfiles. This issue was addressed through improved memory handling.CVE-IDCVE-2015-3807 : ApplelibxpcAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to execute arbitrarycode with system privilegesDescription: A memory corruption issue existed in handling ofmalformed XPC messages. This issue was improved through improvedbounds checking.CVE-IDCVE-2015-3795 : Mathew Rowleymail_cmdsAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary shell commandsDescription: A validation issue existed in the mailx parsing ofemail addresses. This was addressed by improved sanitization.CVE-IDCVE-2014-7844Notification Center OSXAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A malicious application may be able to access allnotifications previously displayed to usersDescription: An issue existed in Notification Center, which did notproperly delete user notifications. This issue was addressed bycorrectly deleting notifications dismissed by users.CVE-IDCVE-2015-3764 : Jonathan ZdziarskintfsAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A local user may be able to execute arbitrary code withsystem privilegesDescription: A memory corruption issue existed in NTFS. This issuewas addressed through improved memory handling.CVE-IDCVE-2015-5763 : Roberto Paleari and Aristide Fattori of EmazeNetworksOpenSSHAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Remote attackers may be able to circumvent a time delay forfailed login attempts and conduct brute-force attacksDescription: An issue existed when processing keyboard-interactivedevices. This issue was addressed through improved authenticationrequest validation.CVE-IDCVE-2015-5600OpenSSLAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in OpenSSL versions priorto 0.9.8zg, the most serious of which may allow a remote attacker tocause a denial of service.Description: Multiple vulnerabilities existed in OpenSSL versionsprior to 0.9.8zg. These were addressed by updating OpenSSL to version0.9.8zg.CVE-IDCVE-2015-1788CVE-2015-1789CVE-2015-1790CVE-2015-1791CVE-2015-1792perlAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted regular expression may lead todisclosure of unexpected application termination or arbitrary codeexecutionDescription: An integer underflow issue existed in the way Perlparsed regular expressions. This issue was addressed through improvedmemory handling.CVE-IDCVE-2013-7422PostgreSQLAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: An attacker may be able to cause unexpected applicationtermination or gain access to data without proper authenticationDescription: Multiple issues existed in PostgreSQL 9.2.4. Theseissues were addressed by updating PostgreSQL to 9.2.13.CVE-IDCVE-2014-0067CVE-2014-8161CVE-2015-0241CVE-2015-0242CVE-2015-0243CVE-2015-0244pythonAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in Python 2.7.6, the mostserious of which may lead to arbitrary code executionDescription: Multiple vulnerabilities existed in Python versionsprior to 2.7.6. These were addressed by updating Python to version2.7.10.CVE-IDCVE-2013-7040CVE-2013-7338CVE-2014-1912CVE-2014-7185CVE-2014-9365QL OfficeAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted Office document may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in parsing of Officedocuments. This issue was addressed through improved memory handling.CVE-IDCVE-2015-5773 : AppleQL OfficeAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted XML file may lead todisclosure of user informationDescription: An external entity reference issue existed in XML fileparsing. This issue was addressed through improved parsing.CVE-IDCVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.Quartz Composer FrameworkAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted QuickTime file may lead to anunexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in parsing ofQuickTime files. This issue was addressed through improved memoryhandling.CVE-IDCVE-2015-5771 : AppleQuick LookAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Searching for a previously viewed website may launch the webbrowser and render that websiteDescription: An issue existed where QuickLook had the capability toexecute JavaScript. The issue was addressed by disallowing executionof JavaScript.CVE-IDCVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of QuboleQuickTime 7Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted file may lead to anunexpected application termination or arbitrary code executionDescription: Multiple memory corruption issues existed in QuickTime.These issues were addressed through improved memory handling.CVE-IDCVE-2015-3772CVE-2015-3779CVE-2015-5753 : AppleCVE-2015-5779 : AppleQuickTime 7Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted file may lead to anunexpected application termination or arbitrary code executionDescription: Multiple memory corruption issues existed in QuickTime.These issues were addressed through improved memory handling.CVE-IDCVE-2015-3765 : Joe Burnett of Audio PoisonCVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco TalosCVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco TalosCVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco TalosCVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco TalosCVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco TalosCVE-2015-5751 : WalkerFuzSceneKitAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Viewing a maliciously crafted Collada file may lead toarbitrary code executionDescription: A heap buffer overflow existed in SceneKit's handlingof Collada files. This issue was addressed through improved inputvalidation.CVE-IDCVE-2015-5772 : AppleSceneKitAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,OS X Yosemite v10.10 to v10.10.4Impact: A remote attacker may be able to cause unexpectedapplication termination or arbitrary code executionDescription: A memory corruption issue existed in SceneKit. Thisissue was addressed through improved memory handling.CVE-IDCVE-2015-3783 : Haris Andrianakis of Google Security TeamSecurityAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A standard user may be able to gain access to adminprivileges without proper authenticationDescription: An issue existed in handling of user authentication.This issue was addressed through improved authentication checks.CVE-IDCVE-2015-3775 : [Eldon Ahrold]SMBClientAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: A remote attacker may be able to cause unexpectedapplication termination or arbitrary code executionDescription: A memory corruption issue existed in the SMB client.This issue was addressed through improved memory handling.CVE-IDCVE-2015-3773 : Ilja van SprundelSpeech UIAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted unicode string with speechalerts enabled may lead to an unexpected application termination orarbitrary code executionDescription: A memory corruption issue existed in handling ofUnicode strings. This issue was addressed by improved memoryhandling.CVE-IDCVE-2015-3794 : Adam Greenbaum of RefinitivesudoAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in sudo versions prior to1.7.10p9, the most serious of which may allow an attacker access toarbitrary filesDescription: Multiple vulnerabilities existed in sudo versions priorto 1.7.10p9. These were addressed by updating sudo to version1.7.10p9.CVE-IDCVE-2013-1775CVE-2013-1776CVE-2013-2776CVE-2013-2777CVE-2014-0106CVE-2014-9680tcpdumpAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the mostserious of which may allow a remote attacker to cause a denial ofservice.Description: Multiple vulnerabilities existed in tcpdump versionsprior to 4.7.3. These were addressed by updating tcpdump to version4.7.3.CVE-IDCVE-2014-8767CVE-2014-8769CVE-2014-9140Text FormatsAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Parsing a maliciously crafted text file may lead todisclosure of user informationDescription: An XML external entity reference issue existed withTextEdit parsing. This issue was addressed through improved parsing.CVE-IDCVE-2015-3762 : Xiaoyong Wu of the Evernote Security TeamudfAvailable for: OS X Yosemite v10.10 to v10.10.4Impact: Processing a maliciously crafted DMG file may lead to anunexpected application termination or arbitrary code execution withsystem privilegesDescription: A memory corruption issue existed in parsing ofmalformed DMG images. This issue was addressed through improvedmemory handling.CVE-IDCVE-2015-3767 : beist of grayhash
http://prod.lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
+54