Home / mailings APPLE-SA-2014-10-16-2 Security Update 2014-005
Posted on 17 October 2014
Apple Security-announce--===============0499732011==
Content-type: multipart/signed;
boundary="Apple-Mail=_C445A41C-9EFC-4713-9ABF-18DF443379D8";
protocol="application/pgp-signature"; micalg=pgp-sha1
--Apple-Mail=_C445A41C-9EFC-4713-9ABF-18DF443379D8
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-2 Security Update 2014-005
Security Update 2014-005 is now available and addresses the
following:
Secure Transport
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
Note: Security Update 2014-005 includes the security content of
OS X bash Update 1.0. For further details see
https://support.apple.com/kb/HT6495
Security Update 2014-005 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/