About the security content of OS X Server 5.1

This document describes the security content of OS X Server 5.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

OS X Server 5.1

• Server App

  Available for: OS X El Capitan v10.11.4

  Impact: An administrator may unknowingly store backups on a volume without permissions enabled

  Description: An issue in Time Machine server did not properly warn administrators if permissions were ignored when performing a server backup. This issue was addressed through improved warnings.

  CVE-ID

  CVE-2016-1774 : CJKApps

• Web Server

  Available for: OS X El Capitan v10.11.4

  Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm

  Description: RC4 was removed as a supported cipher.

  CVE-ID

  CVE-2016-1777 : Pepi Zawodsky

• Web Server

  Available for: OS X El Capitan v10.11.4

  Impact: A remote user may be able to view sensitive configuration information

  Description: A file access issue existed in Apache with .DS_Store and .htaccess files. This issue was addressed through improved access restrictions.

  CVE-ID

  CVE-2016-1776 : Shawn Pullum of University of California, Irvine

• Wiki Server

Available for: OS X El Capitan v10.11.4

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: An access issue existed in some Wiki pages. This issue was addressed through improved access restrictions.

CVE-ID

CVE-2016-1787 : an anonymous researcher