About the security content of Xcode 7.0

This document describes the security content of Xcode 7.0.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.

Xcode 7.0

  • DevTools

    Available for: OS X Yosemite v10.10.4 or later

    Impact: An attacker may be able to bypass access restrictions

    Description: An API issue existed in the apache configuration. This issue was addressed by updating header files to use the latest version.

    CVE-ID

    CVE-2015-3185 : Branko Äibej of the Apache Software Foundation

  • IDE Xcode Server

    Available for: OS X Yosemite v10.10.4 or later

    Impact: An attacker may be able to access restricted parts of the filesystem

    Description: A comparison issue existed in the node.js send module prior to version 0.8.4. This issue was addressed by upgrading to version 0.12.3.

    CVE-ID

    CVE-2014-6394 : Ilya Kantor

  • IDE Xcode Server

    Available for: OS X Yosemite v10.10.4 or later

    Impact: Multiple vulnerabilities in OpenSSL

    Description: Multiple vulnerabilities existed in the node.js OpenSSL module prior to version 1.0.1j. These issues were addressed by updating openssl to version 1.0.1j.

    CVE-ID

    CVE-2014-3513

    CVE-2014-3566

    CVE-2014-3567

    CVE-2014-3568

  • IDE Xcode Server

    Available for: OS X Yosemite v10.10.4 or later

    Impact: An attacker with a privileged network position may be able to inspect traffic to Xcode Server

    Description: Connections to Xcode Server may have been made without encryption. This issue was addressed through improved network connection logic.

    CVE-ID

    CVE-2015-5910 : an anonymous researcher

  • IDE Xcode Server

    Available for: OS X Yosemite v10.10.4 or later

    Impact: Build notifications may be sent to unintended recipients

    Description: An access issue existed in the handling of repository email lists. This issue was addressed through improved validation.

    CVE-ID

    CVE-2015-5909 : Daniel Tomlinson of Rocket Apps, David Gatwood of Anchorfree

  • subversion

    Available for: OS X Yosemite v10.10.4 or later

    Impact: Multiple vulnerabilities existed in svn versions prior to 1.7.19

    Description: Multiple vulnerabilities existed in svn versions prior to 1.7.19. These issues were addressed by updating svn to version 1.7.20.

    CVE-ID

    CVE-2015-0248

    CVE-2015-0251

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: