Significant security fixes in OS X 10.11.5 etc.

Among the significant improvements made to security in OS X 10.11.5 are:

  • PHP is updated to version 5.5.34,
  • various memory corruption issues have been fixed in the kernel, extensions, graphics drivers, and elsewhere,
  • incorrect keys were being used to encrypt disk images in Disk Utility, which now compresses and encrypts disk images properly again,
  • libxml2 has had multiple issues fixed so that it is no longer vulnerable to crafted XML attacks,
  • two vulnerabilities in Messages (= iOS iMessage) have been fixed,
  • management of password profiles has been improved in Screen Lock, which no longers allows someone to reset and expired password from the lock screen,
  • SSLv2 has been disabled in Tcl to fix a protocol security problem.

A small number of these are included in Security Update 2016-003 for Yosemite and Mavericks, which has also been released.

Safari 9.1.1, available for El Capitan as part of the 10.11.5 update, Mavericks, and Yosemite, fixes four issues. One of these is that ‘Clear History and Website Data’ did not always clear the history: it should do so now.

With OS X Server 5.1.5, the ‘system’ version of Server is now officially (which is confusing, particularly as that has not changed since OS X Server 5.1.4), and Apple Configurator 2 has been updated to version 2.2.1.

With recent silent security updates:

  • Core Suggestions Configuration Data should now be at version 743,
  • Gatekeeper Configuration Data should now be at version 88.