Security-announce
Threads by month
- ----- 2025 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
July 2016
- 1 participants
- 6 discussions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-6 iTunes 12.4.2
iTunes 12.4.2 for Windows is now available and addresses the following:
libxml2
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxml2
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany
libxslt
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire
iTunes 12.4.2 may be obtained from:
https://www.apple.com/itunes/download/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXBGAAoJEIOj74w0bLRGW7cP/i8zSs+ajIAlGBZBMD4f7hyI
joCRGfQ5KiAKAvLAcMZ+nxsbr40MSczWlAvyQRZ7sPj6vT34xaLtodRfwNoXJzdE
PeOUMLLdWG7uyiuFZfnfz6tf1DiEhk3ikWCyZaiAPz2eiM2cVU+3MbDh5rKI5Hz/
ik7sUkh88WbpxZwPuXvgQ5tWOkT1x197mlNx213Y0GKFRjg6pEHXljiNYkbXFnhA
mDtvS4AIRLYvpBfhg/W4k9ZTSGYmpBooma7Mi5DGPU99TlhDJjo+1eI4OG8sof5U
HOM8RxTIzePYfW8CC2jkmC0M4qR0DYe9GZcL/N7gCD20q5Du7d0QYwg0hTSsLigh
o+NAy5WetVKRVnnNqdfyoLi5VLoXMwNMHSSr372QIhgIjDMoXNKCpwciqS6ueB7z
gIJpLTm/RWwgex0J+0oD9N5/Y26fYb5T6pObZLElGK608a+G7oyULVkmahLXRA68
te8+ruysbjS4fQwqbdhIa1YioX9xgvdewotTURg8SWfmtLHe/Oca+2jBV+jVEYyo
Fisob0WozgA9OWLao1ku00AhdcRMOceMb/OZR54TkBLN+vYt/k7VSxL2y1uq3ODD
KTq2cFxnG7wUgqzXOnp6pko0XpE4Eil4I6Eb3AUrL998dXdkUSAbHNYqIIowFT6Y
mEQIIZf2AaJBiNPamC86
=49i5
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-5 Safari 9.1.2
Safari 9.1.2 is now available and addresses the following:
WebKit
Available for: OS X El Capitan v10.11.6
Impact: Visiting a malicious website may disclose image data from
another website
Description: A timing issue existed in the processing of SVG. This
issue was addressed through improved validation.
CVE-2016-4583 : Roeland Krak
WebKit
Available for: OS X El Capitan v10.11.6
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: An origin inheritance issue existed in parsing of
about: URLs. This was addressed through improved validation of
security origins.
CVE-2016-4590 : xisigr of Tencent's Xuanwu
Lab (www.tencent.com)
WebKit
Available for: OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4586 : Apple
CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-4622 : Samuel Gross working with Trend Micro’s Zero Day
Initiative
CVE-2016-4623 : Apple
CVE-2016-4624 : Apple
WebKit
Available for: OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4587 : Apple
WebKit
Available for: OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted webpage may lead to a system
denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4592 : Mikhail
WebKit
Available for: OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may compromise user
information on the file system
Description: A permissions issue existed in the handling of the
location variable. This was addressed though additional ownership
checks.
CVE-2016-4591 : ma.la of LINE Corporation
WebKit JavaScript Bindings
Available for: OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may lead to script
execution in the context of a non-HTTP service
Description: A cross-protocol cross-site scripting (XPXSS) issue
existed in Safari when submitting forms to non-HTTP services
compatible with HTTP/0.9. This issue was addressed by disabling
scripts and plugins on resources loaded over HTTP/0.9.
CVE-2016-4651 : Obscure
WebKit Page Loading
Available for: OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4584 : Chris Vienneau
WebKit Page Loading
Available for: OS X El Capitan v10.11.6
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-site scripting issue existed in Safari URL
redirection. This issue was addressed through improved URL validation
on redirection.
CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions,
Inc. (www.mbsd.jp)
Safari 9.1.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXBBAAoJEIOj74w0bLRGvW8QAMqOAKm8CnLcqepi5pjP08WT
DZavcy5OGT/jah0WRuDSLSWgjWDQvGTsuIXvPr0sJp4ZU+KfpLRr/PP4jaHCEAgb
UOf1n42FcVsVdXwNUdyzpEvvRDd3RKzjVDWIi7VAB+dH3sM42C3qPcffJs2+sjOG
EQElvmMfAg4chSSCL6+y3l3uNabMk5oJeXJWICB8d1EtZpe5Epyp8GoYOh/JB2IG
Lt4Rw0rVG8BYYXWe8vJ0vbHSWMEaixQoDzsxFTxZUUCWBl0GqjM/Bjij+TyHf+lc
bb+4zfXPo8WKHad7M9ifl1+s8IzYUmdN3RZ8FFc02M7/i+rU0/HsmuRUxXG6dox3
r9sQKWeWr2xPmiU2pT0XPq95f2iLgt6rAFEfcK0zhLq3QbT5GQh9oyHwjc4c83+H
FGUQ8BrstJIGVRqERxI48kvhiH12PRAilEswFAAr9lJu5X+rmw/glSyYfcslkF49
rDZBAGLEFvCNuwjkAsTelvwiC3tAERhfjh33OENMgS43dVOQfwVpOWolOHN4Tqa4
oLIDzx+0+yVjs/IIAZmTdRLV7yDjat1CRN80FOBHkjuqbD8kL8hU45cvoclUjc6J
n4rOP1EG4SHph+DLfQiRVKbYWjOSOHWb3KMnkx+J5tuSVpe6FT/lpediznhacs+9
ukIIF2wGmuLEumkEjPi3
=2Qoy
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-4 tvOS 9.2.2
tvOS 9.2.2 is now available and addresses the following:
CoreGraphics
Available for: Apple TV (4th generation)
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: Apple TV (4th generation)
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: Apple TV (4th generation)
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex
IOAcceleratorFamily
Available for: Apple TV (4th generation)
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-2016-4627 : Ju Zhu of Trend Micro
IOHIDFamily
Available for: Apple TV (4th generation)
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins
Kernel
Available for: Apple TV (4th generation)
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team
Kernel
Available for: Apple TV (4th generation)
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent, CESG
libxml2
Available for: Apple TV (4th generation)
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxml2
Available for: Apple TV (4th generation)
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany
libxslt
Available for: Apple TV (4th generation)
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire
Sandbox Profiles
Available for: Apple TV (4th generation)
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to a system
denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4592 : Mikhail
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4586 : Apple
CVE-2016-4588 : Apple
CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-4622 : Samuel Gross working with Trend Micro’s Zero Day
Initiative
CVE-2016-4623 : Apple
CVE-2016-4624 : Apple
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4587 : Apple
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may compromise user
information on the file system
Description: A permissions issue existed in the handling of the
location variable. This was addressed though additional ownership
checks.
CVE-2016-4591 : ma.la of LINE Corporation
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may disclose image data from
another website
Description: A timing issue existed in the processing of SVG. This
issue was addressed through improved validation.
CVE-2016-4583 : Roeland Krak
WebKit Page Loading
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4584 : Chris Vienneau
WebKit Page Loading
Available for: Apple TV (4th generation)
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-site scripting issue existed in Safari URL
redirection. This issue was addressed through improved URL validation
on redirection.
CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions,
Inc. (www.mbsd.jp)
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software.".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXA+AAoJEIOj74w0bLRGi6IP/2DDPP2Z208nJPL0+a+bMJA4
JUIrF0BM4wyr1Hy/Vb2zN5RkAZYeHwq8Jq9av9qu79Xgan2jcgPRWKSAiztp0BMx
kYPLi6PrpvWiWLHpqkWGnKVK1LmdBQXKrPsCmMJacKJ2TldBMofAiuh3QrjqZ7ud
GVbTB4HkjX2FnpCt25DkUK5Y5oWP8lv4rvB+iTfO/kVGfSMfrTg1HGH3s49+UTHV
GICBGi+L8yftmYaM10a5JjnOCRiIKXa95Kt1CTPrDxFSJG2QBmMBvSGV4qivyf6i
buqAso81LVWnJBIKjj21usJqm6Q1lqtU5MTElfDq0w/uo7oxL/eWB4e8H0lm9Jow
oD+ZepkO0SHQgwNWprMKrEbI/xow1CiYdxj/a8DYSuQicCjPZanQux04MurfmU5Q
YEkzj+oxuzBherHAVwqleHEglDOy6CJx/UCVoxnf0Tcj9FQOTzQ+aUqYMXrM33Yu
zhU4Eai/9PKLLuqQzhgXYqsSnHKu5ojzesunRo09D+Q1jjSyIXvhmUmCXBgDvcls
MfSUjWJJxniqj+C8zFeHuFEbPU70urVmUH7rWSBsRCRhjzwYMAWpPejkT/XDs1qm
SCTElHATr+BfvS0v1E5En2xNKXSodyJL1SaK9rHnkre+40+e0IJJbOQzbQH9MAcJ
ylGAp0etGDWZ40Q5IyH8
=N/Ug
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-3 watchOS 2.2.2
watchOS 2.2.2 is now available and addresses the following:
CoreGraphics
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-2016-4627 : Ju Zhu of Trend Micro
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4628 : Ju Zhu of Trend Micro
IOHIDFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team
libxml2
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxml2
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany
libxslt
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire
Sandbox Profiles
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXA7AAoJEIOj74w0bLRGEXgP+weQFMlAuBOyZg11jFauawDt
r+LmaHifpMysV13r6cLkKP6cVqV4G6EEOGp9hSqC2lsHKQYDN5vdyLwLl5sE3kSg
PyQgp5iE3Eihe9ArswPbsrm/c1aIMZbKNnAVQkHOQX7STTmYDfp5ATxxFp7yueld
0QVCEbr4QCpqpQCJhqRO7RHWnlOCmTKdYxsD6rYqOEALnZzfB9A5bZPyeM1LNnJL
ntom0d1GzuBjowrEIFPyZBE+oZP1wEfUBsYnr5sD5jkAHphMCyI0/MPAwH3181aZ
T9jHgJMc/0xlitBHwCT7nv7AE3YpxPYpM8lM1a+cLOfHNaUiX7bfX2w+6PVEDFiP
5X0raq+QYnqKdNXanG2nMhQjIYJEIWbOBKanM7hMWM6C2kd4YAc4eLACX3vObWNS
m1Fbj1/Qxqtng0sqw66HhyFEcz9Cqgg7UX2MEmxVV86Oxqcb2PW5XrwUZ9PtgByP
ks8UNaOXYKaRo+OIhaAPn1qfSSlhp086LfGPuCm5lP0c5hZ9TfyErWPG+1nhD6Vd
l48RQOYcAAE//wMLuSf38CbvS0RVcfzKA6DfUAlEAv0Aw4GOZRNCmtLVZo2QS8kc
nUItEluM+03NkqrGROZiyoC+FIrXunr47JzdP5kawB6C1zsJrP2vFr1au9gbwUZ3
nb7PSAEOmpjCwkMbzdvm
=l25N
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
1
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-2 iOS 9.3.3
iOS 9.3.3 is now available and addresses the following:
Calendar
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted calendar invite may cause a device to
unexpectedly restart
Description: A null pointer dereference was addressed through
improved memory handling.
CVE-2016-4605 : Henry Feldman MD at Beth Israel Deaconess Medical
Center
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
FaceTime
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may be able to
cause a relayed call to continue transmitting audio while appearing
as if the call terminated
Description: User interface inconsistencies existed in the handling
of relayed calls. These issues were addressed through improved
FaceTime display logic.
CVE-2016-4635 : Martin Vigo
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4628 : Ju Zhu of Trend Micro
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-2016-4627 : Ju Zhu of Trend Micro
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent
libxml2
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxml2
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany
libxslt
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: Redirect responses to invalid ports may have allowed a
malicious website to display an arbitrary domain while displaying
arbitrary content. This issue was addressed through improved URL
display logic.
CVE-2016-4604 : xisigr of Tencent's Xuanwu Lab (www.tencent.com)
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins
Siri Contacts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to a device may be able to see
private contact information
Description: A privacy issue existed in the handling of Contact
cards. This was addressed through improved state management.
CVE-2016-4593 : Pedro Pinheiro (facebook.com/pedro.pinheiro.1996)
Web Media
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a video in Safari's Private Browsing mode displays
the URL of the video outside of Private Browsing mode
Description: A privacy issue existed in the handling of user data by
Safari View Controller. This issue was addressed through improved
state management.
CVE-2016-4603 : Brian Porter (@portex33)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-4622 : Samuel Gross working with Trend Micro’s Zero Day
Initiative
CVE-2016-4623 : Apple
CVE-2016-4624 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to a system
denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4592 : Mikhail
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may disclose image data from
another website
Description: A timing issue existed in the processing of SVG. This
issue was addressed through improved validation.
CVE-2016-4583 : Roeland Krak
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: An origin inheritance issue existed in parsing of
about: URLs. This was addressed through improved validation of
security origins.
CVE-2016-4590 : xisigr of Tencent's Xuanwu Lab (www.tencent.com) an
anonymous researcher
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the file system
Description: A permissions issue existed in the handling of the
location variable. This was addressed though additional ownership
checks.
CVE-2016-4591 : ma.la of LINE Corporation
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4587 : Apple
WebKit JavaScript Bindings
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to script
execution in the context of a non-HTTP service
Description: A cross-protocol cross-site scripting (XPXSS) issue
existed in Safari when submitting forms to non-HTTP services
compatible with HTTP/0.9. This issue was addressed by disabling
scripts and plugins on resources loaded over HTTP/0.9.
CVE-2016-4651 : Obscure
WebKit Page Loading
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-site scripting issue existed in Safari URL
redirection. This issue was addressed through improved URL validation
on redirection.
CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions,
Inc. (www.mbsd.jp)
WebKit Page Loading
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4584 : Chris Vienneau
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "9.3.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXA4AAoJEIOj74w0bLRGzJ0P/1ry4kKeEmZdCG8n5skZNWcx
hvtpxrZVgse6nvkJ5+SPDIOJbGFNUEv4YP5F+MBosr/mLBcmyjPFbbdlEsKE6ffj
uS03k0p/9uEczaZrytzwK3AXeKwLP1Q47Yl76sPaKtCYzZF0Qlzype4BXdPW/FnV
5Hg0/EAw9vLUpn36BG7NDH5HPTsTETtjxfNZg25k16DMek90E8DQLGCNFBnT7iY1
lC/4CuMBEeZIsOlM1C6IxrlRtUZCMuNUCE68w944Ne7BJqAM3J3sT6/tQMrqg+2S
CVk+4XLey/pi9L6PsR4eSgW80wVLnfoAgEbDnD3ZwWhzrfTqFcvlxDGaxn0LGDf1
H+aalvb8UmNtPr+zQymCGXRBqX9jlzTyRqfoa33R09qJtkSlaeKDbWEdJf706OD6
SeL5rzeeJSjwmrlNzyttnGoH5bsRYb3FhIA5eQlymi4y2EPBXFsQTH2Hxnb06oNo
4XiJx+43+VJ3MUf4v0MHNQqOGlqiw2twSen0mc/3D1IREGFgmL7bszJWALsdElNQ
itACX596JCWc/RPzkLkMKZlKfSxG3AYIKgvLVvVodgHjObqLBSgya6hvpZ3jwsDr
f9nggrqh0mHCMmPG4fPUvsDBt63TJcTNuTvlv6EWLSDM6B9Yy9FkFjNt3e0LlFEg
/esomms9/qUSQyOF2huK
=zqBF
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
1
0
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004
by Apple Product Security 19 Jul '16
by Apple Product Security 19 Jul '16
19 Jul '16
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update
2016-004
OS X El Capitan v10.11.6 and Security Update 2016-004 is now
available and addresses the following:
apache_mod_php
Available for:
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in PHP versions prior to
5.5.36. These were addressed by updating PHP to version 5.5.36.
CVE-2016-4650
Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro
Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to determine kernel memory layout
Description: An out-of-bounds read was addressed through improved
input validation.
CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro
Audio
Available for: OS X El Capitan v10.11 and later
Impact: Parsing a maliciously crafted audio file may lead to the
disclosure of user information
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4646 : Steven Seeley of Source Incite working with Trend
Micro's Zero Day Initiative
Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro
bsdiff
Available for: OS X El Capitan v10.11 and later
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in bspatch. This issue was
addressed through improved bounds checking.
CVE-2014-9862 : an anonymous researcher
CFNetwork
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to view sensitive user information
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed through improved
restrictions.
CVE-2016-4645 : Abhinav Bansal of Zscaler Inc.
CoreGraphics
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CoreGraphics
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to elevate privileges
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
FaceTime
Available for: OS X El Capitan v10.11 and later
Impact: An attacker in a privileged network position may be able to
cause a relayed call to continue transmitting audio while appearing
as if the call terminated
Description: User interface inconsistencies existed in the handling
of relayed calls. These issues were addressed through improved
FaceTime display logic.
CVE-2016-4635 : Martin Vigo
Graphics Drivers
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4634 : Stefan Esser of SektionEins
ImageIO
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex
ImageIO
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
Intel Graphics Driver
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4633 : an anonymous researcher
IOHIDFamily
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins
IOSurface
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A use-after-free was addressed through improved memory
management.
CVE-2016-4625 : Ian Beer of Google Project Zero
Kernel
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team
Kernel
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent
libc++abi
Available for: OS X El Capitan v10.11 and later
Impact: An application may be able to execute arbitrary code with
root privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4621 : an anonymous researcher
libexpat
Available for: OS X El Capitan v10.11 and later
Impact: Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-0718 : Gustavo Grieco
LibreSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in LibreSSL before 2.2.7. These
were addressed by updating LibreSSL to version 2.2.7.
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google) Mark Brand,
Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
libxml2
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany
libxml2
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxslt
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code leading to compromise of user information
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code leading to the compromise of user information
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a denial of service
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to gain root privileges
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
OpenSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in OpenSSL. These issues were resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 0.9.8.
CVE-2016-2105 : Guido Vranken
CVE-2016-2106 : Guido Vranken
CVE-2016-2107 : Juraj Somorovsky
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
CVE-2016-2176 : Guido Vranken
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4596 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4597 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4600 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4602 : Ke Liu of Tencent's Xuanwu Lab
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4598 : Ke Liu of Tencent's Xuanwu Lab
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted SGI file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4601 : Ke Liu of Tencent's Xuanwu Lab
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4599 : Ke Liu of Tencent's Xuanwu Lab
Safari Login AutoFill
Available for: OS X El Capitan v10.11 and later
Impact: A user's password may be visible on screen
Description: An issue existed in Safari's password auto-fill. This
issue was addressed through improved matching of form fields.
CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD
Sandbox Profiles
Available for: OS X El Capitan v10.11 and later
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins
Note: OS X El Capitan 10.11.6 includes the security content of Safari
9.1.2. For further details see https://support.apple.com/kb/HT206900
OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXAvAAoJEIOj74w0bLRG/5EP/2v9SJTrO+/4b3A1gqC1ch8y
+cJ04tXRsO7rvjKT5nCylo30U0Sanz/bUbDx4559YS7/P/IyeyZVheaTJwK8wzEy
pSOPpy35hUuVIw0/p4YsuHDThSBPFMmDljTxH7elkfuBV1lPSrCkyDXc0re2HxWV
xj68zAxtM0jkkhgcxb2ApZSZVXhrjUZtbY0xEVOoWKKFwbMvKfx+4xSqunwQeS1u
wevs1EbxfvsZbc3pG+xYcOonbegBzOy9aCvNO1Yv1zG+AYXC5ERMq1vk3PsWOTQN
ZVY1I7mvCaEfvmjq2isRw8XYapAIKISDLwMKBSYrZDQFwPQLRi1VXxQZ67Kq1M3k
ah04/lr0RIcoosIcBqxD2+1UAFjUzEUNFkYivjhuaeegN2QdL7Ujegf1QjdAt8lk
mmKduxYUDOaRX50Kw7n14ZveJqzE1D5I6QSItaZ9M1vR60a7u91DSj9D87vbt1YC
JM/Rvf/4vonp1NjwA2JQwCiZfYliBDdn9iiCl8mzxdsSRD/wXcZCs05nnKmKsCfc
55ET7IwdG3622lVheOJGQZuucwJiTn36zC11XVzZysQd/hLD5rUKUQNX1WOgZdzs
xPsslXF5MWx9jcdyWVSWxDrN0sFk+GpQFQDuVozP60xuxqR3qQ0TXir2NP39uIF5
YozOGPQFmX0OviWCQsX6
=ng+m
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
1
0