APPLE-SA-2017-09-25-1 macOS High Sierra 10.13
APPLE-SA-2017-09-25-1 macOS High Sierra 10.13
- Subject: APPLE-SA-2017-09-25-1 macOS High Sierra 10.13
- From: Apple Product Security <email@hidden>
- Date: Mon, 25 Sep 2017 11:36:12 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-09-25-1 macOS High Sierra 10.13
macOS High Sierra 10.13 is now available and addresses the following:
Application Firewall
Available for: OS X Lion v10.8 and later
Impact: A previously denied application firewall setting may take
effect after upgrading
Description: An upgrade issue existed in the handling of firewall
settings. This issue was addressed through improved handling of
firewall settings during upgrades.
CVE-2017-7084: an anonymous researcher
AppSandbox
Available for: OS X Lion v10.8 and later
Impact: An application may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7074: Daniel Jalkut of Red Sweater Software
Captive Network Assistant
Available for: OS X Lion v10.8 and later
Impact: A local user may unknowingly send a password unencrypted over
the network
Description: The security state of the captive portal browser was not
obvious. This issue was addressed with improved visibility of the
captive portal browser security state.
CVE-2017-7143: an anonymous researcher
CFNetwork Proxies
Available for: OS X Lion v10.8 and later
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.
CoreAudio
Available for: OS X Lion v10.8 and later
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed by updating to Opus
version 1.1.4.
CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend
Micro
Directory Utility
Available for: OS X Lion v10.8 and later
Impact: A local attacker may be able to determine the Apple ID of the
owner of the computer
Description: A permissions issue existed in the handling of the Apple
ID. This issue was addressed with improved access controls.
CVE-2017-7138: an anonymous researcher
file
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in file
Description: Multiple issues were addressed by updating to version
5.30.
CVE-2017-7121: found by OSS-Fuzz
CVE-2017-7122: found by OSS-Fuzz
CVE-2017-7123: found by OSS-Fuzz
CVE-2017-7124: found by OSS-Fuzz
CVE-2017-7125: found by OSS-Fuzz
CVE-2017-7126: found by OSS-Fuzz
Heimdal
Available for: OS X Lion v10.8 and later
Impact: An attacker in a privileged network position may be able to
impersonate a service
Description: A validation issue existed in the handling of the KDC-
REP service name. This issue was addressed through improved
validation.
CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams
IOFireWireFamily
Available for: OS X Lion v10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7077: Brandon Azad
IOFireWireFamily
Available for: OS X Lion v10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-7119: Xiaolong Bai, Min (Spark) Zheng of Alibaba Inc.,
Benjamin Gnahm (@mitp0sh) of PDX
Kernel
Available for: OS X Lion v10.8 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7114: Alex Plaskett of MWR InfoSecurity
libc
Available for: OS X Lion v10.8 and later
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue in glob() was addressed
through an improved algorithm.
CVE-2017-7086: Russ Cox of Google
libc
Available for: OS X Lion v10.8 and later
Impact: An application may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2017-1000373
libexpat
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in expat
Description: Multiple issues were addressed by updating to version
2.2.1
CVE-2016-9063
CVE-2017-9233
Mail
Available for: OS X Lion v10.8 and later
Impact: The sender of an email may be able to determine the IP
address of the recipient
Description: Turning off "Load remote content in messages" did not
apply to all mailboxes. This issue was addressed with improved
setting propagation.
CVE-2017-7141: an anonymous researcher
Mail Drafts
Available for: OS X Lion v10.8 and later
Impact: An attacker with a privileged network position may be able to
intercept mail contents
Description: An encryption issue existed in the handling of mail
drafts. This issue was addressed with improved handling of mail
drafts meant to be sent encrypted.
CVE-2017-7078: an anonymous researcher, an anonymous researcher, an
anonymous researcher
ntp
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in ntp
Description: Multiple issues were addressed by updating to version
4.2.8p10
CVE-2017-6451: Cure53
CVE-2017-6452: Cure53
CVE-2017-6455: Cure53
CVE-2017-6458: Cure53
CVE-2017-6459: Cure53
CVE-2017-6460: Cure53
CVE-2017-6462: Cure53
CVE-2017-6463: Cure53
CVE-2017-6464: Cure53
CVE-2016-9042: Matthew Van Gundy of Cisco
Screen Lock
Available for: OS X Lion v10.8 and later
Impact: Application Firewall prompts may appear over Login Window
Description: A window management issue was addressed through improved
state management.
CVE-2017-7082: Tim Kingman
Security
Available for: OS X Lion v10.8 and later
Impact: A revoked certificate may be trusted
Description: A certificate validation issue existed in the handling
of revocation data. This issue was addressed through improved
validation.
CVE-2017-7080: Sven Driemecker of adesso mobile solutions gmbh, Rune
Darrud (@theflyingcorpse) of Bærum kommune, an anonymous researcher,
an anonymous researcher
SQLite
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating to version
3.19.3.
CVE-2017-10989: found by OSS-Fuzz
CVE-2017-7128: found by OSS-Fuzz
CVE-2017-7129: found by OSS-Fuzz
CVE-2017-7130: found by OSS-Fuzz
SQLite
Available for: OS X Lion v10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7127: an anonymous researcher
WebKit
Available for: OS X Lion v10.8 and later
Impact: A malicious website may be able to track users in Safari
private browsing mode
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed with improved restrictions.
CVE-2017-7144: an anonymous researcher
zlib
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in zlib
Description: Multiple issues were addressed by updating to version
1.2.11.
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843
Additional recognition
Security
We would like to acknowledge Abhinav Bansal of Zscaler, Inc.
for their assistance.
Installation note:
macOS 10.13 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJZyUQfAAoJEIOj74w0bLRGmSEP/0wgqASRSNneoBx/AMLk0Qac
mZhI8HuyJRTFwCOT7P7vkZTmoxtyOOdh4XaInvKMsW5I2G64YEmW86pcofHwdOTz
TSWIAdus34xErUZ13rMzfg8Z3XAberG1E31QU2y2EXenpJSZIL8nzLgt8ySPVyzu
PrQJxGxCMq1WAOSemGe+4rK2rMwpw5UDZyTbNPDi6lfKz0ZmtfvBzrgBq2xhA9iF
/2NVs5rRog38N6F6xR6GNqi0dVoZmh1umQINh9nzTn8crbSuI3ixRtQYxstxU91/
0wrgV03YF297n6bwVhawEDPU8obZzFgQRiKOjghE6h4YBVccWxMI9n42PwVc+G/Z
X48wuSavpOEV6WEC+hWtALl/W73uH3jF2iK8rPBcDENheRlFi/y5+XeOK8TGJftS
6raj+IgbgERaY3uXcRoi0mLflpzxvGBYlTiJRRj7H7HFZO6v14hYyEMVrWmhFUiZ
Xgy/qxHdWd/NW4AZz8Ke+ZMaJr21DozzI8ejug9shD7O/N31ZNq2qsNmxEweCPvt
yMauTPAUutApHTEUXfwCdOy+ZGgTtWDnOC+g3ezkAOdigvjFcwlFH0Sbjxnhxbbp
LVLz7tHwyKa5Xcwet0ZRH3WCHBsTzzkpsgxoyEMabE2KGS461uZw20t2uZozNsV0
bniy26PJZ5xGrFOSZYUa
=wBKW
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden