-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-05-16-4 OS X El Capitan 10.11.5 and Security Update
2016-003

OS X El Capitan 10.11.5 and Security Update 2016-003 is now available
and addresses the following:

AMD
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1792 : beist and ABH of BoB

AMD
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  An application may be able to determine kernel memory layout
Description:  An issue existed that led to the disclosure of kernel
memory content. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2016-1791 : daybreaker of Minionz

apache_mod_php
Available for:  OS X El Capitan v10.11 and later
Impact:  Multiple vulnerabilities in PHP
Description:  Multiple vulnerabilities existed in PHP versions prior
to 5.5.34. These were addressed by updating PHP to version 5.5.34.
CVE-ID
CVE-2015-8865
CVE-2016-3141
CVE-2016-3142
CVE-2016-4070
CVE-2016-4071
CVE-2016-4072
CVE-2016-4073

AppleGraphicsControl
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1793 : Ian Beer of Google Project Zero
CVE-2016-1794 : Ian Beer of Google Project Zero

AppleGraphicsPowerManagement
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1795 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro

ATS
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to determine kernel memory layout
Description:  An out of bounds memory access issue was addressed
through improved memory handling.
CVE-ID
CVE-2016-1796 : lokihardt working with Trend Micro's Zero Day
Initiative

ATS
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
system privileges
Description:  An issue existed in the sandbox policy. This was
addressed by sandboxing FontValidator.
CVE-ID
CVE-2016-1797 : lokihardt working with Trend Micro's Zero Day
Initiative

Audio
Available for:  
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact:  An application may be able to cause a denial of service
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1798 : Juwei Lin of TrendMicro

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1799 : Juwei Lin of TrendMicro

Captive Network Assistant
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  An attacker in a privileged network position may be able to
execute arbitrary code with user assistance
Description:  A custom URL scheme handling issue was addressed
through improved input validation.
CVE-ID
CVE-2016-1800 : Apple

CFNetwork Proxies
Available for:  OS X El Capitan v10.11 and later
Impact:  An attacker in a privileged network position may be able to
leak sensitive user information
Description:  An information leak existed in the handling of HTTP and
HTTPS requests. This issue was addressed through improved URL
handling.
CVE-ID
CVE-2016-1801 : Alex Chapman and Paul Stone of Context Information
Security

CommonCrypto
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to leak sensitive user
information
Description:  An issue existed in the handling of return values in
CCCrypt. This issue was addressed through improved key length
management.
CVE-ID
CVE-2016-1802 : Klaus Rodewig

CoreCapture
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working
with Trend Micro’s Zero Day Initiative

CoreStorage
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A configuration issue was addressed through additional
restrictions.
CVE-ID
CVE-2016-1805 : Stefan Esser

Crash Reporter
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
root privileges
Description:  A configuration issue was addressed through additional
restrictions.
CVE-ID
CVE-2016-1806 : lokihardt working with Trend Micro's Zero Day
Initiative

Disk Images
Available for:  OS X El Capitan v10.11 and later
Impact:  A local attacker may be able to read kernel memory
Description:  A race condition was addressed through improved
locking.
CVE-ID
CVE-2016-1807 : Ian Beer of Google Project Zero

Disk Images
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro

Disk Utility
Available for:  OS X El Capitan v10.11 and later
Impact:  Disk Utility failed to compress and encrypt disk images
Description:  Incorrect keys were being used to encrypt disk images.
This issue was addressed by updating the encryption keys.
CVE-ID
CVE-2016-1809 : Ast A. Moore (@astamoore) and David Foster of
TechSmartKids

Graphics Drivers
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1810 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro

ImageIO
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted image may lead to a denial
of service
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1811 : Lander Brandt (@landaire)

Intel Graphics Driver
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A buffer overflow was addressed through improved bounds
checking.
CVE-ID
CVE-2016-1812 : Juwei Lin of TrendMicro

IOAcceleratorFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to cause a denial of service
Description:  A null pointer dereference was addressed through
improved locking.
CVE-ID
CVE-2016-1814 : Juwei Lin of TrendMicro

IOAcceleratorFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1815 : Liang Chen, Qidan He of KeenLab, Tencent working with
Trend Micro's Zero Day Initiative
CVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-1818 : Juwei Lin of TrendMicro
CVE-2016-1819 : Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1813 : Ian Beer of Google Project Zero
CVE-2016-1816 : Peter Pi (@heisecode) of Trend Micro and Juwei Lin of
Trend Micro

IOAudioFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A buffer overflow was addressed with improved bounds
checking.
CVE-ID
CVE-2016-1820 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro working with Trend Micro’s Zero Day Initiative

IOAudioFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1821 : Ian Beer of Google Project Zero

IOFireWireFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1822 : CESG

IOHIDFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent

IOHIDFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1825 : Brandon Azad

Kernel
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1827 : Brandon Azad
CVE-2016-1828 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
CVE-2016-1831 : Brandon Azad

Kernel
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  An integer overflow existed in dtrace. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2016-1826 : Ben Murphy working with Trend Micro’s Zero Day
Initiative

libc
Available for:  OS X El Capitan v10.11 and later
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1832 : Karl Williamson

libxml2
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Processing maliciously crafted XML may lead to an unexpected
application termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1834 : Apple
CVE-2016-1835 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1837 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1839 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany

libxslt
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1841 : Sebastian Apelt

MapKit
Available for:  OS X El Capitan v10.11 and later
Impact:  An attacker in a privileged network position may be able to
leak sensitive user information
Description:  Shared links were sent with HTTP rather than HTTPS.
This was addressed by enabling HTTPS for shared links.
CVE-ID
CVE-2016-1842 : Richard Shupak (https://www.linkedin.com/in/rshupak)

Messages
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious server or user may be able to modify another
user's contact list
Description:  A validation issue existed in roster changes. This
issue was addressed through improved validation of roster sets.
CVE-ID
CVE-2016-1844 : Thijs Alkemade of Computest

Messages
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to leak sensitive user
information
Description:  An encoding issue existed in filename parsing. This
issue was addressed through improved filename encoding.
CVE-ID
CVE-2016-1843 : Heige (a.k.a. SuperHei) of Knownsec 404 Security Team
[http://www.knownsec.com]

Multi-Touch
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
system privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1804 : Liang Chen, Yubin Fu, Marco Grassi of KeenLab,
Tencent of Trend Micro's Zero Day Initiative

NVIDIA Graphics Drivers
Available for:  
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1846 : Ian Beer of Google Project Zero

OpenGL
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Processing maliciously crafted web content may lead to
arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1848 : Francis Provencher from COSIG

SceneKit
Available for:  OS X El Capitan v10.11 and later
Impact:  Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1850 : Tyler Bohan of Cisco Talos

Screen Lock
Available for:  OS X El Capitan v10.11 and later
Impact:  A person with physical access to a computer may be able to
reset an expired password from the lock screen
Description:  An issue existed in the management of password
profiles. This issue was addressed through improved password reset
handling.
CVE-ID
CVE-2016-1851 : an anonymous researcher

Tcl
Available for:  OS X El Capitan v10.11 and later
Impact:  An attacker in a privileged network position may be able to
leak sensitive user information
Description:  A protocol security issue was addressed by disabling
SSLv2.
CVE-ID
CVE-2016-1853 : researchers at Tel Aviv University, Münster
University of Applied Sciences, Ruhr University Bochum, the
University of Pennsylvania, the Hashcat project, the University of
Michigan, Two Sigma, Google, and the OpenSSL project: Nimrod Aviram,
Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel,
Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor
Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof
Paar, and Yuval Shavitt

Note: OS X El Capitan 10.11.5 includes the security content of Safari
9.1.1. For further details see https://support.apple.com/en-us/HT206565


OS X El Capitan 10.11.5 and Security Update 2016-003 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXOj0GAAoJEIOj74w0bLRGFp0QANQktsdXgOptLJWGqWXaDKmW
HaY0fNyuXNLzGNH2GKQ1yXi2KjMqGnCuAwaS3Ku/4qx2Imq3X+BLLYrSOwttbAvQ
yGdWaFo1ExK/WT4CI02QM7LDOZNXOyZq/ofQ4jXi/wDpuXXNV+I+RsMMUJL4Uon9
2fngj7FHXk4fvCYs9lahjv+wDGkpIcVDTU6Liqxmje2KQzShYJ8tYwwacsOSQKxk
bmsUiA9q9zkGbbo7mo5WikQUO1XWaBLQiBejzJMyNEFGECtOc9B4+irTJgERTSHb
igd2875EmH/sNI6WkEQNZwpMfdKBhNI/W9e/DhZVSwAydK6xt8yr0vd5ZF/M8jCU
CWGzoOQI1snlr862Ccx7H+db8umu1UmDMUjz1To+hqCEhnvMW2/oRvrKtk2Q65Pu
STqixhDl0HEamvX/72r7LNsZHjzmoGoKjpwjnGf0phZgSBP1bWKmhp9748Rcb12a
LzwRy7KJ20W8XGGiMeqKoe4bFaBK6iBJok4+ZpROadGrxtjVumtqbZ5CrY1Hp8/F
I4VMuReDqG39G4yyDeAEr9JWRdmV285Z1zaxOgd2CsPblDfEWp9HiBpC8Agd1p9x
Mf/EDssinL1K7dQQPIXgGUE5S6Z2DzGEeKvHzm8kLxl0OfwntATY/mf7TM0nj4JY
YyNMZcKPuYVmF3b2PAfb
=P+17
-----END PGP SIGNATURE-----