About the security content of OS X Server 5.1

This document describes the security content of OS X Server 5.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

OS X Server 5.1

• Server App

Available for: OS X El Capitan v10.11.4

Impact: An administrator may unknowingly store backups on a volume without permissions enabled

Description: An issue in Time Machine server did not properly warn administrators if permissions were ignored when performing a server backup. This issue was addressed through improved warnings.

CVE-ID

CVE-2016-1774 : CJKApps

• Web Server

Available for: OS X El Capitan v10.11.4

Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm

Description: RC4 was removed as a supported cipher.

CVE-ID

CVE-2016-1777 : Pepi Zawodsky

• Web Server

Available for: OS X El Capitan v10.11.4

Impact: A remote user may be able to view sensitive configuration information

Description: A file access issue existed in Apache with .DS_Store and .htaccess files. This issue was addressed through improved access restrictions.

CVE-ID

CVE-2016-1776 : Shawn Pullum of University of California, Irvine

• Wiki Server

Available for: OS X El Capitan v10.11.4

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: An access issue existed in some Wiki pages. This issue was addressed through improved access restrictions.

CVE-ID

CVE-2016-1787 : an anonymous researcher

OS X Server 5.1 requires OS X El Capitan v10.11.4 for security improvements.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: January 23, 2017