Skip to main content

Does anyone understand what this means:



About the security content of macOS Sierra 10.12



macOS Sierra 10.12
Released September 20, 2016

apache
Available for: OS X El Capitan v10.11.6
Impact: A remote attacker may be able to proxy traffic through an arbitrary server
Description: An issue existed in the handling of the HTTP_PROXY environment variable. This issue was addressed by not setting the HTTP_PROXY environment variable from CGI.
CVE-2016-4694: Dominic Scheirlinck and Scott Geary of Vend

[..]


Note the reference to availability for El Capitan. This is listed over and over and over in this document, which is supposed to be about Sierra.



So what gives? Are all these references a typo? Will these CVE-IDs be back ported to El Capitan and Yosemite?



What am I missing?

Hi,



"Available for: OS X El Capitan v10.11.6" means that the vulnerability is available for OS X 10.11.6, as is the fix in the form of macOS Sierra 10.12. It does by no means indicate that a separate fix on form of a stand-alone Security Update for 10.11.6 is or will be made available.



The same happened already when 10.11 came out. Out of the 101 vulnerabilities that the announcement of 10.11 listed, 2 where fixed in a stand-alone Sec Update for 10.10 that came out a while later. The other 99 vulnerabilities where left untouched.



Do not count on the rumor that Apple support three versions of S X / macOS, this is simply not the case!



So now you have the choice to stay with an unfixed 10.11, or go immediately to 10.12 if all you apps and tools allow this.



Best regards,



Matthias

I asked Apple about support policies for OS Versions. They said they have no official support policy on what OS versions they create patches for and to look at history to get an idea. From my experience, current OS gets patched, previous usually gets patched, and pre-previous often gets patched...

Reply


Terms & ConditionsCookie settings