ID

VAR-201605-0145

CVE

CVE-2016-0718

TITLE

Expat Service disruption in (DoS) Vulnerabilities

DESCRIPTION

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. There is a security hole in Expat. Description: This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release. Security Fix(es): * expat: Out-of-bounds heap read on crafted input causing crash (CVE-2016-0718) * curl: escape and unescape integer overflows (CVE-2016-7167) * curl: Cookie injection for other servers (CVE-2016-8615) * curl: Case insensitive password comparison (CVE-2016-8616) * curl: Out-of-bounds write via unchecked multiplication (CVE-2016-8617) * curl: Double-free in curl_maprintf (CVE-2016-8618) * curl: Double-free in krb5 code (CVE-2016-8619) * curl: curl_getdate out-of-bounds read (CVE-2016-8621) * curl: URL unescape heap overflow via integer truncation (CVE-2016-8622) * curl: Use-after-free via shared cookies (CVE-2016-8623) * curl: Invalid URL parsing with '#' (CVE-2016-8624) * curl: IDNA 2003 makes curl use wrong host (CVE-2016-8625) * libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS) (CVE-2016-9598) * pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3) (CVE-2017-6004) * pcre: Invalid Unicode property lookup (8.41/7, 10.24/2) (CVE-2017-7186) * pcre: invalid memory read in_pcre32_xclass (pcre_xclass.c) (CVE-2017-7244) * pcre: stack-based buffer overflow write in pcre32_copy_substring (CVE-2017-7245) * pcre: stack-based buffer overflow write in pcre32_copy_substring (CVE-2017-7246) * curl: FTP PWD response parser out of bounds read (CVE-2017-1000254) * curl: IMAP FETCH response out of bounds read (CVE-2017-1000257) * curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP (CVE-2018-0500) Details around this issue, including information about the CVE, severity of the issue, and the CVSS score can be found on the CVE page listed in the Reference section below. The following packages have been upgraded to a newer upstream version: * Curl (7.57.0) * OpenSSL (1.0.2n) * Expat (2.2.5) * PCRE (8.41) * libxml2 (2.9.7) Acknowledgements: CVE-2017-1000254: Red Hat would like to thank Daniel Stenberg for reporting this issue. Upstream acknowledges Max Dymond as the original reporter. Upstream acknowledges Brian Carpenter, (the OSS-Fuzz project) as the original reporter. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Core Services installation (including all applications and configuration files). Bugs fixed (https://bugzilla.redhat.com/): 1296102 - CVE-2016-0718 expat: Out-of-bounds heap read on crafted input causing crash 1375906 - CVE-2016-7167 curl: escape and unescape integer overflows 1388370 - CVE-2016-8615 curl: Cookie injection for other servers 1388371 - CVE-2016-8616 curl: Case insensitive password comparison 1388377 - CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication 1388378 - CVE-2016-8618 curl: Double-free in curl_maprintf 1388379 - CVE-2016-8619 curl: Double-free in krb5 code 1388385 - CVE-2016-8621 curl: curl_getdate out-of-bounds read 1388386 - CVE-2016-8622 curl: URL unescape heap overflow via integer truncation 1388388 - CVE-2016-8623 curl: Use-after-free via shared cookies 1388390 - CVE-2016-8624 curl: Invalid URL parsing with '#' 1388392 - CVE-2016-8625 curl: IDNA 2003 makes curl use wrong host 1408306 - CVE-2016-9598 libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS) 1425365 - CVE-2017-6004 pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3) 1434504 - CVE-2017-7186 pcre: Invalid Unicode property lookup (8.41/7, 10.24/2) 1437364 - CVE-2017-7244 pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c) 1437367 - CVE-2017-7245 pcre: stack-based buffer overflow write in pcre32_copy_substring 1437369 - CVE-2017-7246 pcre: stack-based buffer overflow write in pcre32_copy_substring 1495541 - CVE-2017-1000254 curl: FTP PWD response parser out of bounds read 1503705 - CVE-2017-1000257 curl: IMAP FETCH response out of bounds read 1597101 - CVE-2018-0500 curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP 5. This could reduce the security of calling applications. (CVE-2012-6702) It was discovered that the Expat code in XML-RPC for C and C++ incorrectly handled seeding the random number generator. A remote attacker could possibly use this issue to cause a denial of service. ========================================================================= Ubuntu Security Notice USN-3044-1 August 05, 2016 firefox vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Firefox could be made to crash or run programs as your login if it opened a malicious website. Software Description: - firefox: Mozilla Open Source web browser Details: Gustavo Grieco discovered an out-of-bounds read during XML parsing in some circumstances. (CVE-2016-0718) Toni Huttunen discovered that once a favicon is requested from a site, the remote server can keep the network connection open even after the pag e is closed. A remote attacked could potentially exploit this to track users, resulting in information disclosure. (CVE-2016-2830) Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian Seward , Carsten Book, Gary Kwong, Jesse Ruderman, Andrew McCreight, and Phil Ringnalda discovered multiple memory safety issues in Firefox. (CVE-2016-2835, CVE-2016-2836) A buffer overflow was discovered in the ClearKey Content Decryption Module (CDM) during video playback. (CVE-2016-2837) Atte Kettunen discovered a buffer overflow when rendering SVG content in some circumstances. (CVE-2016-2838) Bert Massop discovered a crash in Cairo with version 0.10 of FFmpeg. (CVE-2016-2839) Catalin Dumitru discovered that URLs of resources loaded after a navigation start could be leaked to the following page via the Resource Timing API. An attacker could potentially exploit this to obtain sensitiv e information. (CVE-2016-5250) Firas Salem discovered an issue with non-ASCII and emoji characters in data: URLs. An attacker could potentially exploit this to spoof the addressbar contents. (CVE-2016-5251) Georg Koppen discovered a stack buffer underflow during 2D graphics rendering in some circumstances. (CVE-2016-5252) Abhishek Arya discovered a use-after-free when the alt key is used with top-level menus. (CVE-2016-5254) Jukka Jyl=C3=A4nki discovered a crash during garbage collection. If a use r were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code. (CVE-2016-5255) Looben Yang discovered a use-after-free in WebRTC. (CVE-2016-5258) Looben Yang discovered a use-after-free when working with nested sync events in service workers. (CVE-2016-5259) Mike Kaply discovered that plain-text passwords can be stored in session restore if an input field type is changed from "password" to "text" durin g a session, leading to information disclosure. (CVE-2016-5260) Samuel Gro=C3=9F discovered an integer overflow in WebSockets during data buffering in some circumstances. (CVE-2016-5261) Nikita Arykov discovered that JavaScript event handlers on a <marquee> element can execute in a sandboxed iframe without the allow-scripts flag set. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2016-5262) A type confusion bug was discovered in display transformation during rendering. (CVE-2016-5263) A use-after-free was discovered when applying effects to SVG elements in some circumstances. (CVE-2016-5264) Abdulrahman Alqabandi discovered a same-origin policy violation relating to local HTML files and saved shortcut files. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5265) Rafael Gieschke discovered an information disclosure issue related to drag and drop. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5266) A text injection issue was discovered with about: URLs. An attacker could potentially exploit this to spoof internal error pages. (CVE-2016-5268) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: firefox 48.0+build2-0ubuntu0.16.04.1 Ubuntu 14.04 LTS: firefox 48.0+build2-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: firefox 48.0+build2-0ubuntu0.12.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: expat security update Advisory ID: RHSA-2016:2824-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2824.html Issue date: 2016-11-28 CVE Names: CVE-2016-0718 ===================================================================== 1. Summary: An update for expat is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Expat is a C library for parsing XML documents. Security Fix(es): * An out-of-bounds read flaw was found in the way Expat processed certain input. (CVE-2016-0718) Red Hat would like to thank Gustavo Grieco for reporting this issue. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, applications using the Expat library must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1296102 - CVE-2016-0718 expat: Out-of-bounds heap read on crafted input causing crash 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: expat-2.0.1-13.el6_8.src.rpm i386: expat-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm x86_64: expat-2.0.1-13.el6_8.i686.rpm expat-2.0.1-13.el6_8.x86_64.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.i686.rpm x86_64: expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm expat-devel-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: expat-2.0.1-13.el6_8.src.rpm x86_64: expat-2.0.1-13.el6_8.i686.rpm expat-2.0.1-13.el6_8.x86_64.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm expat-devel-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: expat-2.0.1-13.el6_8.src.rpm i386: expat-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.i686.rpm ppc64: expat-2.0.1-13.el6_8.ppc.rpm expat-2.0.1-13.el6_8.ppc64.rpm expat-debuginfo-2.0.1-13.el6_8.ppc.rpm expat-debuginfo-2.0.1-13.el6_8.ppc64.rpm expat-devel-2.0.1-13.el6_8.ppc.rpm expat-devel-2.0.1-13.el6_8.ppc64.rpm s390x: expat-2.0.1-13.el6_8.s390.rpm expat-2.0.1-13.el6_8.s390x.rpm expat-debuginfo-2.0.1-13.el6_8.s390.rpm expat-debuginfo-2.0.1-13.el6_8.s390x.rpm expat-devel-2.0.1-13.el6_8.s390.rpm expat-devel-2.0.1-13.el6_8.s390x.rpm x86_64: expat-2.0.1-13.el6_8.i686.rpm expat-2.0.1-13.el6_8.x86_64.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm expat-devel-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: expat-2.0.1-13.el6_8.src.rpm i386: expat-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.i686.rpm x86_64: expat-2.0.1-13.el6_8.i686.rpm expat-2.0.1-13.el6_8.x86_64.rpm expat-debuginfo-2.0.1-13.el6_8.i686.rpm expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm expat-devel-2.0.1-13.el6_8.i686.rpm expat-devel-2.0.1-13.el6_8.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: expat-2.1.0-10.el7_3.src.rpm x86_64: expat-2.1.0-10.el7_3.i686.rpm expat-2.1.0-10.el7_3.x86_64.rpm expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm expat-devel-2.1.0-10.el7_3.i686.rpm expat-devel-2.1.0-10.el7_3.x86_64.rpm expat-static-2.1.0-10.el7_3.i686.rpm expat-static-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: expat-2.1.0-10.el7_3.src.rpm x86_64: expat-2.1.0-10.el7_3.i686.rpm expat-2.1.0-10.el7_3.x86_64.rpm expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm expat-devel-2.1.0-10.el7_3.i686.rpm expat-devel-2.1.0-10.el7_3.x86_64.rpm expat-static-2.1.0-10.el7_3.i686.rpm expat-static-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: expat-2.1.0-10.el7_3.src.rpm aarch64: expat-2.1.0-10.el7_3.aarch64.rpm expat-debuginfo-2.1.0-10.el7_3.aarch64.rpm expat-devel-2.1.0-10.el7_3.aarch64.rpm ppc64: expat-2.1.0-10.el7_3.ppc.rpm expat-2.1.0-10.el7_3.ppc64.rpm expat-debuginfo-2.1.0-10.el7_3.ppc.rpm expat-debuginfo-2.1.0-10.el7_3.ppc64.rpm expat-devel-2.1.0-10.el7_3.ppc.rpm expat-devel-2.1.0-10.el7_3.ppc64.rpm ppc64le: expat-2.1.0-10.el7_3.ppc64le.rpm expat-debuginfo-2.1.0-10.el7_3.ppc64le.rpm expat-devel-2.1.0-10.el7_3.ppc64le.rpm s390x: expat-2.1.0-10.el7_3.s390.rpm expat-2.1.0-10.el7_3.s390x.rpm expat-debuginfo-2.1.0-10.el7_3.s390.rpm expat-debuginfo-2.1.0-10.el7_3.s390x.rpm expat-devel-2.1.0-10.el7_3.s390.rpm expat-devel-2.1.0-10.el7_3.s390x.rpm x86_64: expat-2.1.0-10.el7_3.i686.rpm expat-2.1.0-10.el7_3.x86_64.rpm expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm expat-devel-2.1.0-10.el7_3.i686.rpm expat-devel-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: expat-debuginfo-2.1.0-10.el7_3.aarch64.rpm expat-static-2.1.0-10.el7_3.aarch64.rpm ppc64: expat-debuginfo-2.1.0-10.el7_3.ppc.rpm expat-debuginfo-2.1.0-10.el7_3.ppc64.rpm expat-static-2.1.0-10.el7_3.ppc.rpm expat-static-2.1.0-10.el7_3.ppc64.rpm ppc64le: expat-debuginfo-2.1.0-10.el7_3.ppc64le.rpm expat-static-2.1.0-10.el7_3.ppc64le.rpm s390x: expat-debuginfo-2.1.0-10.el7_3.s390.rpm expat-debuginfo-2.1.0-10.el7_3.s390x.rpm expat-static-2.1.0-10.el7_3.s390.rpm expat-static-2.1.0-10.el7_3.s390x.rpm x86_64: expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm expat-static-2.1.0-10.el7_3.i686.rpm expat-static-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: expat-2.1.0-10.el7_3.src.rpm x86_64: expat-2.1.0-10.el7_3.i686.rpm expat-2.1.0-10.el7_3.x86_64.rpm expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm expat-devel-2.1.0-10.el7_3.i686.rpm expat-devel-2.1.0-10.el7_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: expat-debuginfo-2.1.0-10.el7_3.i686.rpm expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm expat-static-2.1.0-10.el7_3.i686.rpm expat-static-2.1.0-10.el7_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0718 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYPIyBXlSAg2UNWIIRAmHXAJ0XmPOxvAJOT6/eusxHQBKBs/LPDgCguirS H8Bczzxw4Aj5YxGpyacoQBE= =GbHX -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004 OS X El Capitan v10.11.6 and Security Update 2016-004 is now available and addresses the following: apache_mod_php Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in PHP versions prior to 5.5.36. These were addressed by updating PHP to version 5.5.36. CVE-2016-4650 Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to determine kernel memory layout Description: An out-of-bounds read was addressed through improved input validation. CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro Audio Available for: OS X El Capitan v10.11 and later Impact: Parsing a maliciously crafted audio file may lead to the disclosure of user information Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4646 : Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro bsdiff Available for: OS X El Capitan v10.11 and later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow existed in bspatch. This issue was addressed through improved bounds checking. CVE-2014-9862 : an anonymous researcher CFNetwork Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to view sensitive user information Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed through improved restrictions. CVE-2016-4645 : Abhinav Bansal of Zscaler Inc. CoreGraphics Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) CoreGraphics Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to elevate privileges Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative FaceTime Available for: OS X El Capitan v10.11 and later Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic. CVE-2016-4635 : Martin Vigo Graphics Drivers Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4634 : Stefan Esser of SektionEins ImageIO Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4632 : Evgeny Sidorov of Yandex ImageIO Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) Intel Graphics Driver Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4633 : an anonymous researcher IOHIDFamily Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4626 : Stefan Esser of SektionEins IOSurface Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A use-after-free was addressed through improved memory management. CVE-2016-4625 : Ian Beer of Google Project Zero Kernel Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1863 : Ian Beer of Google Project Zero CVE-2016-1864 : Ju Zhu of Trend Micro CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team Kernel Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent libc++abi Available for: OS X El Capitan v10.11 and later Impact: An application may be able to execute arbitrary code with root privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4621 : an anonymous researcher libexpat Available for: OS X El Capitan v10.11 and later Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-0718 : Gustavo Grieco LibreSSL Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in LibreSSL before 2.2.7. These were addressed by updating LibreSSL to version 2.2.7. CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google) Mark Brand, Ian Beer of Google Project Zero CVE-2016-2109 : Brian Carpenter libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation. CVE-2016-4449 : Kostya Serebryany libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: Multiple vulnerabilities in libxml2 Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4448 : Apple CVE-2016-4483 : Gustavo Grieco CVE-2016-4614 : Nick Wellnhofe CVE-2016-4615 : Nick Wellnhofer CVE-2016-4616 : Michael Paddon CVE-2016-4619 : Hanno Boeck libxslt Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1684 : Nicolas GrA(c)goire CVE-2016-4607 : Nick Wellnhofer CVE-2016-4608 : Nicolas GrA(c)goire CVE-2016-4609 : Nick Wellnhofer CVE-2016-4610 : Nick Wellnhofer CVE-2016-4612 : Nicolas GrA(c)goire Login Window Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code leading to compromise of user information Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative Login Window Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code leading to the compromise of user information Description: A type confusion issue was addressed through improved memory handling. CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative Login Window Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a denial of service Description: A memory initialization issue was addressed through improved memory handling. CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative Login Window Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to gain root privileges Description: A type confusion issue was addressed through improved memory handling. CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative OpenSSL Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in OpenSSL. These issues were resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 0.9.8. CVE-2016-2105 : Guido Vranken CVE-2016-2106 : Guido Vranken CVE-2016-2107 : Juraj Somorovsky CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero CVE-2016-2109 : Brian Carpenter CVE-2016-2176 : Guido Vranken QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4596 : Ke Liu of Tencent's Xuanwu Lab CVE-2016-4597 : Ke Liu of Tencent's Xuanwu Lab CVE-2016-4600 : Ke Liu of Tencent's Xuanwu Lab CVE-2016-4602 : Ke Liu of Tencent's Xuanwu Lab QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4598 : Ke Liu of Tencent's Xuanwu Lab QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted SGI file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4601 : Ke Liu of Tencent's Xuanwu Lab QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4599 : Ke Liu of Tencent's Xuanwu Lab Safari Login AutoFill Available for: OS X El Capitan v10.11 and later Impact: A user's password may be visible on screen Description: An issue existed in Safari's password auto-fill. This issue was addressed through improved matching of form fields. CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD Sandbox Profiles Available for: OS X El Capitan v10.11 and later Impact: A local application may be able to access the process list Description: An access issue existed with privileged API calls. This issue was addressed through additional restrictions. CVE-2016-4594 : Stefan Esser of SektionEins Note: OS X El Capitan 10.11.6 includes the security content of Safari 9.1.2. For further details see https://support.apple.com/kb/HT206900 OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXjXAvAAoJEIOj74w0bLRG/5EP/2v9SJTrO+/4b3A1gqC1ch8y +cJ04tXRsO7rvjKT5nCylo30U0Sanz/bUbDx4559YS7/P/IyeyZVheaTJwK8wzEy pSOPpy35hUuVIw0/p4YsuHDThSBPFMmDljTxH7elkfuBV1lPSrCkyDXc0re2HxWV xj68zAxtM0jkkhgcxb2ApZSZVXhrjUZtbY0xEVOoWKKFwbMvKfx+4xSqunwQeS1u wevs1EbxfvsZbc3pG+xYcOonbegBzOy9aCvNO1Yv1zG+AYXC5ERMq1vk3PsWOTQN ZVY1I7mvCaEfvmjq2isRw8XYapAIKISDLwMKBSYrZDQFwPQLRi1VXxQZ67Kq1M3k ah04/lr0RIcoosIcBqxD2+1UAFjUzEUNFkYivjhuaeegN2QdL7Ujegf1QjdAt8lk mmKduxYUDOaRX50Kw7n14ZveJqzE1D5I6QSItaZ9M1vR60a7u91DSj9D87vbt1YC JM/Rvf/4vonp1NjwA2JQwCiZfYliBDdn9iiCl8mzxdsSRD/wXcZCs05nnKmKsCfc 55ET7IwdG3622lVheOJGQZuucwJiTn36zC11XVzZysQd/hLD5rUKUQNX1WOgZdzs xPsslXF5MWx9jcdyWVSWxDrN0sFk+GpQFQDuVozP60xuxqR3qQ0TXir2NP39uIF5 YozOGPQFmX0OviWCQsX6 =ng+m -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Gustavo Grieco

SOURCES

LAST UPDATE DATE

2025-04-28T20:48:55.338000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE