Re: APPLE-SA-2018-1-23-4 tvOS 11.2.5
Re: APPLE-SA-2018-1-23-4 tvOS 11.2.5
- Subject: Re: APPLE-SA-2018-1-23-4 tvOS 11.2.5
- From: Justin Franks <email@hidden>
- Date: Wed, 24 Jan 2018 10:30:49 +1100
> On 24 Jan 2018, at 7:46 am, Apple Product Security
> <email@hidden> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> APPLE-SA-2018-1-23-4 tvOS 11.2.5
>
> tvOS 11.2.5 is now available and addresses the following:
>
> Audio
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: Processing a maliciously crafted audio file may lead to
> arbitrary code execution
> Description: A memory corruption issue was addressed through improved
> input validation.
> CVE-2018-4094: Mingi Cho, MinSik Shin, Seoyoung Kim, Yeongho Lee and
> Taekyoung Kwon of the Information Security Lab, Yonsei University
>
> Core Bluetooth
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: An application may be able to execute arbitrary code with
> system privileges
> Description: A memory corruption issue was addressed with improved
> memory handling.
> CVE-2018-4087: Rani Idan (@raniXCH) of Zimperium zLabs Team
> CVE-2018-4095: Rani Idan (@raniXCH) of Zimperium zLabs Team
>
> Kernel
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: An application may be able to read restricted memory
> Description: A memory initialization issue was addressed through
> improved memory handling.
> CVE-2018-4090: Jann Horn of Google Project Zero
>
> Kernel
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: An application may be able to read restricted memory
> Description: A race condition was addressed through improved locking.
> CVE-2018-4092: an anonymous researcher
>
> Kernel
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: A malicious application may be able to execute arbitrary code
> with kernel privileges
> Description: A memory corruption issue was addressed through improved
> input validation.
> CVE-2018-4082: Russ Cox of Google
>
> Kernel
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: An application may be able to read restricted memory
> Description: A validation issue was addressed with improved input
> sanitization.
> CVE-2018-4093: Jann Horn of Google Project Zero
>
> QuartzCore
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution
> Description: A memory corruption issue existed in the processing of
> web content. This issue was addressed through improved input
> validation.
> CVE-2018-4085: Ret2 Systems Inc. working with Trend Micro's Zero Day
> Initiative
>
> Security
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: A certificate may have name constraints applied incorrectly
> Description: A certificate evaluation issue existed in the handling
> of name constraints. This issue was addressed through improved trust
> evaluation of certificates.
> CVE-2018-4086: Ian Haken of Netflix
>
> WebKit
> Available for: Apple TV 4K and Apple TV (4th generation)
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution
> Description: Multiple memory corruption issues were addressed with
> improved memory handling.
> CVE-2018-4088: Jeonghoon Shin of Theori
> CVE-2018-4089: Ivan Fratric of Google Project Zero
> CVE-2018-4096: found by OSS-Fuzz
>
> Installation note:
>
> Apple TV will periodically check for software updates. Alternatively,
> you may manually check for software updates by selecting
> "Settings -> System -> Software Update -> Update Software."
>
> To check the current version of software, select
> "Settings -> General -> About."
>
> Information will also be posted to the Apple Security Updates
> web site: https://support.apple.com/kb/HT201222
>
> This message is signed with Apple's Product Security PGP key,
> and details are available at:
> https://www.apple.com/support/security/pgp/
> -----BEGIN PGP SIGNATURE-----
>
> iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlpng7kpHHByb2R1Y3Qt
> c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEZBpxAA
> prOFNgYdkVj5Qho+Ppw6U/d4xQZKS614VPoD5cfOXR4SxOeDL00LxUkAwMLtIgJm
> uZI54DR7zaixBoR8Yms4GN2//TgBjG50wvfpuMQiSDP8LZ4WPcHYI/faDFH43yf7
> rLDYYSXv8olAZU6w+sM858zuPjx/C5lqykDIOCPiFIZMY1XpLNhcaEyw0jhUYlYm
> t+KLLNyeXAmBRus/rB2WJk8vRYYwBm3Fz2VyKjUVpvc56ZfezmJTT9sfO/2Hbzaw
> stduwdsvhGUUpiK/D866xHniJMngTQjOChIjNiP8RG/BaYG/iKejgaVjdOb7ZUsJ
> vLbu6ctvg1UOMUHrfIotWOMI3LdJbTbTpjS9kCkLBj+ZO7jE+CKibflph7BDt0ND
> Cafdg34DGu2K3bcCL+CMzscWocw0hPkyYWsxuHatJVuXBEfXfFuzioGzU4FHEeDC
> tyRH6Fs+divJ23KEssbcieBP2JeA43j/ORjmigZYnAXb4Myge/NT/3eLzrJ9rfbP
> J6QyVU6Zv7jzXdxKdzTMPqNH3RFRhK4ukeHUq9S57Oh6oICAXA6mWCJnlLEB0kST
> qSunhULsrufCNVJ4KcfOWz5A0wYijbrylmsCSctaHrJs1nkdaZzNTwUZ/IYHP5Le
> qApCYj3ugwMg/wpWdqtOYaMYiwglfIxv9xcwpqetH5o=
> =7nmT
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Security-announce mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
--
****************************************************************************************************************************
Important: this email (including any attachments) is intended only for
the addressee(s) and is confidential.
It may also contain legally privileged information. If you are not the
intended recipient, you are notified
that any use, disclosure or dissemination is strictly prohibited. If you
have received this email in error,
please notify Screenrights immediately by telephone or email and delete
all copies of this email.
****************************************************************************************************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden