VARIoT IoT vulnerabilities database
| VAR-201702-0249 | CVE-2016-7652 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in the WebKit component of several Apple products. ==========================================================================
Ubuntu Security Notice USN-3191-1
February 06, 2017
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.10.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3191-1
CVE-2016-7586, CVE-2016-7589, CVE-2016-7592, CVE-2016-7599,
CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639,
CVE-2016-7641, CVE-2016-7645, CVE-2016-7652, CVE-2016-7654,
CVE-2016-7656
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.04.1
.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0246 | CVE-2016-7649 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0349 | CVE-2016-4692 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that comes with the Mac OS X and iOS operating systems by default. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in the WebKit component of several Apple products.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-5 Additional information for
APPLE-SA-2016-12-12-1 iOS 10.2
iOS 10.2 addresses the following:
Accessibility
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A nearby user may be able to overhear spoken passwords
Description: A disclosure issue existed in the handling of passwords.
This issue was addressed by disabling the speaking of passwords.
CVE-2016-7634: Davut Hari
Accessibility
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A person with physical access to an iOS device may be able to
access photos and contacts from the lock screen
Description: A lock screen issue allowed access to photos and
contacts on a locked device. This issue was addressed by restricting
options offered on a locked device.
CVE-2016-7664: Miguel Alvarado of iDeviceHelp
Accounts
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An issue existed which did not reset the authorization
settings on app uninstall
Description: This issue was addressed through improved sanitization.
CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro
Audio
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7658: Haohao Kong of Keen Lab (@keen_lab) of Tencent
CVE-2016-7659: Haohao Kong of Keen Lab (@keen_lab) of Tencent
Entry added December 13, 2016
CoreFoundation
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing malicious strings may lead to an unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
strings. This issue was addressed through improved bounds checking.
CVE-2016-7663: an anonymous researcher
Entry added December 13, 2016
CoreGraphics
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
unexpected application termination
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-7627: TRAPMINE Inc. & Meysam Firouzi @R00tkitSMM
Entry added December 13, 2016
CoreMedia External Displays
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local application may be able to execute arbitrary code in
the context of the mediaserver daemon
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-7655: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
CoreMedia Playback
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted .mp4 file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-7588: dragonltx of Huawei 2012 Laboratories
Entry added December 13, 2016
CoreText
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-2016-7595: riusksk(ae3aY=) of Tencent Security Platform
Department
Entry added December 13, 2016
Disk Images
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7616: daybreaker@Minionz working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
Find My iPhone
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker with an unlocked device may be able to disable
Find My iPhone
Description: A state management issue existed in the handling of
authentication information. This issue was addressed through
improved storage of account information.
CVE-2016-7638: an anonymous researcher, Sezer Sakiner
FontParser
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-2016-4691: riusksk(ae3aY=) of Tencent Security Platform
Department
Entry added December 13, 2016
FontParser
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A buffer overflow existed in the handling of font files.
This issue was addressed through improved bounds checking.
CVE-2016-4688: Simon Huang of Alipay company,
thelongestusernameofall@gmail.com
Entry added December 13, 2016
Graphics Driver
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Watching a maliciously crafted video may lead to a denial of
service
Description: A denial of service issue existed in the handling of
video. This issue was addressed through improved input validation.
CVE-2016-7665: Moataz El Gaml of Schlumberger
ICU
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-7594: AndrA(c) Bargull
Entry added December 13, 2016
Image Capture
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A validation issue existed in the handling of USB image
devices. This issue was addressed through improved input validation.
CVE-2016-4690: Andy Davis of NCC Group
ImageIO
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-7643: Yangkang (@dnpushme) of Qihoo360 Qex Team
Entry added December 13, 2016
IOHIDFamily
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local application with system privileges may be able to
execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7591: daybreaker of Minionz
Entry added December 13, 2016
IOKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to read kernel memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7657: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2016-7606: @cocoahuke, Chen Qin of Topsec Alpha Team (topsec.com)
CVE-2016-7612: Ian Beer of Google Project Zero
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to read kernel memory
Description: An insufficient initialization issue was addressed by
properly initializing memory returned to user space.
CVE-2016-7607: Brandon Azad
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to cause a system denial of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2016-7615: The UK's National Cyber Security Centre (NCSC)
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7621: Ian Beer of Google Project Zero
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7637: Ian Beer of Google Project Zero
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local application with system privileges may be able to
execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7644: Ian Beer of Google Project Zero
Entry added December 13, 2016
libarchive
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local attacker may be able to overwrite existing files
Description: A validation issue existed in the handling of symlinks.
This issue was addressed through improved validation of symlinks.
CVE-2016-7619: an anonymous researcher
Entry added December 13, 2016
Local Authentication
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: The device may not lock the screen after the idle timeout
Description: A logic issue existed in the handling of the idle timer
when the Touch ID prompt is shown. This issue was addressed through
improved handling of the idle timer.
CVE-2016-7601: an anonymous researcher
Mail
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An email signed with a revoked certificate may appear valid
Description: S/MIME policy failed to check if a certificate was
valid. This issue was addressed by notifying a user if an email was
signed with a revoked certificate.
CVE-2016-4689: an anonymous researcher
Media Player
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A user may be able to view photos and contacts from the
lockscreen
Description: A validation issue existed in the handling of media
selection. This issue was addressed through improved validation.
CVE-2016-7653
Power Management
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed
through improved validation.
CVE-2016-7661: Ian Beer of Google Project Zero
Entry added December 13, 2016
Profiles
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Opening a maliciously crafted certificate may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
certificate profiles. This issue was addressed through improved input
validation.
CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com)
Safari Reader
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
Entry added December 13, 2016
Security
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker may be able to exploit weaknesses in the 3DES
cryptographic algorithm
Description: 3DES was removed as a default cipher.
CVE-2016-4693: GaA<<tan Leurent and Karthikeyan Bhargavan from INRIA
Paris
Entry added December 13, 2016
Security
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: A validation issue existed in the handling of OCSP
responder URLs. This issue was addressed by verifying OCSP revocation
status after CA validation and limiting the number of OCSP requests
per certificate.
CVE-2016-7636: Maksymilian Arciemowicz (cxsecurity.com)
Entry added December 13, 2016
Security
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Certificates may be unexpectedly evaluated as trusted
Description: A certificate evaluation issue existed in certificate
validation. This issue was addressed through additional validation of
certificates.
CVE-2016-7662: Apple
Entry added December 13, 2016
SpringBoard
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A person with physical access to an iOS device may be able to
unlock the device
Description: In some cases, a counter issue existed in the handling
of passcode attempts when resetting the passcode. This was addressed
through improved state management.
CVE-2016-4781: an anonymous researcher
SpringBoard
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A person with physical access to an iOS device may be able to
keep the device unlocked
Description: A cleanup issue existed in the handling of Handoff with
Siri. This was addressed through improved state management.
CVE-2016-7597: an anonymous researcher
syslog
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed
through improved validation.
CVE-2016-7660: Ian Beer of Google Project Zero
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Entry added December 13, 2016
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "10.2".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGMloP/RDTtXKaNcwG2eVfvwcJOq7r
6/xS+aoLjvcgHSn6Q4q4Ez0HFchHjflKV7lAtCe7RDEJxjQZw7/DrpoPSqtiwgpI
0RRvbgy6qmfKQxf2dmXCbDJh/sdIATmc/sF+RncvboYvi2n7AEHQwn+1Axtsag2m
HcxecQdlRjoj2A9x+d0EdKNj5pbZmL/YM5jZBQimNKaF7HnCjFrK6u/Xs0cKwypH
zqD7ZCyYD2gN08DJbaAFPm+JTINwi/wI3pvg+WPphbG2IAufNs0KoSv1TX/yY45F
G1oiQSSCqYNKWmC4Pa03ycxMH3eywnKp4D29400n7XkG4Hs8wfXBig5QutUQWtM1
YEm6s+K2qiee+9shc4YMqMumNUA4tFCv2a4OG1sUYDZiPxkW0mWW+Y8u+u9D2ao5
z+mOGuuf4NIl3EcEcnLKLVlSIVFmsiJkPRYTSafwQ6o9kX3N6CtR2suvydm90su1
V2hbIWRia/uhrK7KUk83nOf3e5eqjzb4P7+z8TP0GwRkNST+nVXbYA3274kZ+Ik2
Z0g38tXO7F2r/QQmDswrsYP2q9T7/xpLbmNjuyGdcwqz57La4fszc4K2twEC6NEb
9drzqLyyG8fJd0MB1QqivSKLdm1wsYDd379osBQYpmSSWcZ/hkIQsB7PZ5f8vcOc
4zLHOqZUbWi1DVWViMNQ
=LKqY
-----END PGP SIGNATURE-----
.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store
| VAR-201702-0244 | CVE-2016-7646 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0238 | CVE-2016-7640 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0231 | CVE-2016-7633 | Apple macOS Vulnerability in the directory service component |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Directory Services" component. It allows local users to gain privileges or cause a denial of service (use-after-free) via unspecified vectors. Apple macOS The directory service component is either authorized or service disruption ( Use of freed memory (use-after-free)) There are vulnerabilities that are put into a state.Authorized by local user or service disruption ( Use of freed memory (use-after-free)) There is a possibility of being put into a state. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. Attackers can exploit this vulnerability to gain root privileges
| VAR-201702-0467 | CVE-2016-7587 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-5 Additional information for
APPLE-SA-2016-12-12-1 iOS 10.2
iOS 10.2 addresses the following:
Accessibility
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A nearby user may be able to overhear spoken passwords
Description: A disclosure issue existed in the handling of passwords.
This issue was addressed by disabling the speaking of passwords.
CVE-2016-7634: Davut Hari
Accessibility
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A person with physical access to an iOS device may be able to
access photos and contacts from the lock screen
Description: A lock screen issue allowed access to photos and
contacts on a locked device. This issue was addressed by restricting
options offered on a locked device.
CVE-2016-7664: Miguel Alvarado of iDeviceHelp
Accounts
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An issue existed which did not reset the authorization
settings on app uninstall
Description: This issue was addressed through improved sanitization.
CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro
Audio
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7658: Haohao Kong of Keen Lab (@keen_lab) of Tencent
CVE-2016-7659: Haohao Kong of Keen Lab (@keen_lab) of Tencent
Entry added December 13, 2016
CoreFoundation
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing malicious strings may lead to an unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
strings. This issue was addressed through improved bounds checking.
CVE-2016-7663: an anonymous researcher
Entry added December 13, 2016
CoreGraphics
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
unexpected application termination
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-7627: TRAPMINE Inc. & Meysam Firouzi @R00tkitSMM
Entry added December 13, 2016
CoreMedia External Displays
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local application may be able to execute arbitrary code in
the context of the mediaserver daemon
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-7655: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
CoreMedia Playback
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted .mp4 file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-7588: dragonltx of Huawei 2012 Laboratories
Entry added December 13, 2016
CoreText
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-2016-7595: riusksk(ae3aY=) of Tencent Security Platform
Department
Entry added December 13, 2016
Disk Images
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7616: daybreaker@Minionz working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
Find My iPhone
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker with an unlocked device may be able to disable
Find My iPhone
Description: A state management issue existed in the handling of
authentication information. This issue was addressed through
improved storage of account information.
CVE-2016-7638: an anonymous researcher, Sezer Sakiner
FontParser
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-2016-4691: riusksk(ae3aY=) of Tencent Security Platform
Department
Entry added December 13, 2016
FontParser
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A buffer overflow existed in the handling of font files.
This issue was addressed through improved bounds checking.
CVE-2016-4688: Simon Huang of Alipay company,
thelongestusernameofall@gmail.com
Entry added December 13, 2016
Graphics Driver
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Watching a maliciously crafted video may lead to a denial of
service
Description: A denial of service issue existed in the handling of
video. This issue was addressed through improved input validation.
CVE-2016-7665: Moataz El Gaml of Schlumberger
ICU
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-7594: AndrA(c) Bargull
Entry added December 13, 2016
Image Capture
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A validation issue existed in the handling of USB image
devices. This issue was addressed through improved input validation.
CVE-2016-4690: Andy Davis of NCC Group
ImageIO
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-7643: Yangkang (@dnpushme) of Qihoo360 Qex Team
Entry added December 13, 2016
IOHIDFamily
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local application with system privileges may be able to
execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7591: daybreaker of Minionz
Entry added December 13, 2016
IOKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to read kernel memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7657: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2016-7606: @cocoahuke, Chen Qin of Topsec Alpha Team (topsec.com)
CVE-2016-7612: Ian Beer of Google Project Zero
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to read kernel memory
Description: An insufficient initialization issue was addressed by
properly initializing memory returned to user space.
CVE-2016-7607: Brandon Azad
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to cause a system denial of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2016-7615: The UK's National Cyber Security Centre (NCSC)
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7621: Ian Beer of Google Project Zero
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7637: Ian Beer of Google Project Zero
Entry added December 13, 2016
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local application with system privileges may be able to
execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7644: Ian Beer of Google Project Zero
Entry added December 13, 2016
libarchive
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local attacker may be able to overwrite existing files
Description: A validation issue existed in the handling of symlinks.
This issue was addressed through improved validation of symlinks.
CVE-2016-7619: an anonymous researcher
Entry added December 13, 2016
Local Authentication
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: The device may not lock the screen after the idle timeout
Description: A logic issue existed in the handling of the idle timer
when the Touch ID prompt is shown. This issue was addressed through
improved handling of the idle timer.
CVE-2016-7601: an anonymous researcher
Mail
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An email signed with a revoked certificate may appear valid
Description: S/MIME policy failed to check if a certificate was
valid. This issue was addressed by notifying a user if an email was
signed with a revoked certificate.
CVE-2016-4689: an anonymous researcher
Media Player
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A user may be able to view photos and contacts from the
lockscreen
Description: A validation issue existed in the handling of media
selection. This issue was addressed through improved validation.
CVE-2016-7653
Power Management
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed
through improved validation.
CVE-2016-7661: Ian Beer of Google Project Zero
Entry added December 13, 2016
Profiles
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Opening a maliciously crafted certificate may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
certificate profiles. This issue was addressed through improved input
validation.
CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com)
Safari Reader
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
Entry added December 13, 2016
Security
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker may be able to exploit weaknesses in the 3DES
cryptographic algorithm
Description: 3DES was removed as a default cipher.
CVE-2016-4693: GaA<<tan Leurent and Karthikeyan Bhargavan from INRIA
Paris
Entry added December 13, 2016
Security
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: A validation issue existed in the handling of OCSP
responder URLs. This issue was addressed by verifying OCSP revocation
status after CA validation and limiting the number of OCSP requests
per certificate.
CVE-2016-7636: Maksymilian Arciemowicz (cxsecurity.com)
Entry added December 13, 2016
Security
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Certificates may be unexpectedly evaluated as trusted
Description: A certificate evaluation issue existed in certificate
validation. This issue was addressed through additional validation of
certificates.
CVE-2016-7662: Apple
Entry added December 13, 2016
SpringBoard
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A person with physical access to an iOS device may be able to
unlock the device
Description: In some cases, a counter issue existed in the handling
of passcode attempts when resetting the passcode. This was addressed
through improved state management.
CVE-2016-4781: an anonymous researcher
SpringBoard
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A person with physical access to an iOS device may be able to
keep the device unlocked
Description: A cleanup issue existed in the handling of Handoff with
Siri. This was addressed through improved state management.
CVE-2016-7597: an anonymous researcher
syslog
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed
through improved validation.
CVE-2016-7660: Ian Beer of Google Project Zero
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
Entry added December 13, 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Entry added December 13, 2016
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "10.2".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGMloP/RDTtXKaNcwG2eVfvwcJOq7r
6/xS+aoLjvcgHSn6Q4q4Ez0HFchHjflKV7lAtCe7RDEJxjQZw7/DrpoPSqtiwgpI
0RRvbgy6qmfKQxf2dmXCbDJh/sdIATmc/sF+RncvboYvi2n7AEHQwn+1Axtsag2m
HcxecQdlRjoj2A9x+d0EdKNj5pbZmL/YM5jZBQimNKaF7HnCjFrK6u/Xs0cKwypH
zqD7ZCyYD2gN08DJbaAFPm+JTINwi/wI3pvg+WPphbG2IAufNs0KoSv1TX/yY45F
G1oiQSSCqYNKWmC4Pa03ycxMH3eywnKp4D29400n7XkG4Hs8wfXBig5QutUQWtM1
YEm6s+K2qiee+9shc4YMqMumNUA4tFCv2a4OG1sUYDZiPxkW0mWW+Y8u+u9D2ao5
z+mOGuuf4NIl3EcEcnLKLVlSIVFmsiJkPRYTSafwQ6o9kX3N6CtR2suvydm90su1
V2hbIWRia/uhrK7KUk83nOf3e5eqjzb4P7+z8TP0GwRkNST+nVXbYA3274kZ+Ik2
Z0g38tXO7F2r/QQmDswrsYP2q9T7/xpLbmNjuyGdcwqz57La4fszc4K2twEC6NEb
9drzqLyyG8fJd0MB1QqivSKLdm1wsYDd379osBQYpmSSWcZ/hkIQsB7PZ5f8vcOc
4zLHOqZUbWi1DVWViMNQ
=LKqY
-----END PGP SIGNATURE-----
.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store
| VAR-201702-0237 | CVE-2016-7639 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. ==========================================================================
Ubuntu Security Notice USN-3191-1
February 06, 2017
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.10.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3191-1
CVE-2016-7586, CVE-2016-7589, CVE-2016-7592, CVE-2016-7599,
CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639,
CVE-2016-7641, CVE-2016-7645, CVE-2016-7652, CVE-2016-7654,
CVE-2016-7656
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.04.1
.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0228 | CVE-2016-7629 | Apple macOS of kext Tool component vulnerable to arbitrary code execution in privileged context |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. Apple macOS is prone to multiple security vulnerabilities. kext tools is one of the system driver installation and permission repair components
| VAR-201702-0227 | CVE-2016-7628 | Apple macOS Vulnerabilities that prevent permission restrictions on asset components |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Assets" component, which allows local users to bypass intended permission restrictions and change a downloaded mobile asset via unspecified vectors. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. Assets is one of the library components that supports multi-picture selection. An attacker could exploit this vulnerability to alter the downloaded phone gallery
| VAR-201702-0240 | CVE-2016-7642 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0243 | CVE-2016-7645 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. ==========================================================================
Ubuntu Security Notice USN-3191-1
February 06, 2017
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.10.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3191-1
CVE-2016-7586, CVE-2016-7589, CVE-2016-7592, CVE-2016-7599,
CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639,
CVE-2016-7641, CVE-2016-7645, CVE-2016-7652, CVE-2016-7654,
CVE-2016-7656
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.04.1
.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0224 | CVE-2016-7625 | Apple macOS of IOKit Vulnerability in obtaining important kernel memory layout information in component |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOKit" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within IOReportUserClient. The process does not properly validate user-supplied data which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges under the context of the kernel. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. IOKit is one of the components that read system information
| VAR-201702-0223 | CVE-2016-7624 | Apple macOS of IOAcceleratorFamily Vulnerability in component critical kernel memory layout information retrieval |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOAcceleratorFamily" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within IOCommandQueue. The process does not properly validate user-supplied data which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges under the context of the kernel. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. IOAcceleratorFamily is one of the IO acceleration management components
| VAR-201702-0221 | CVE-2016-7622 | Apple macOS of Grapher Vulnerability in arbitrary code execution in components |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Grapher" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .gcx file. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition
| VAR-201702-0239 | CVE-2016-7641 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. Apple Safari/Cloud/iTunes/iOS and tvOS are prone to multiple security vulnerabilities
Attackers can exploit these issues to execute arbitrary code, obtain sensitive information and bypass security restrictions. Failed exploit attempts may result in a denial-of-service condition.
Versions prior to Safari 10.0.2, iCloud for Windows 6.1, iTunes 12.5.4, iOS 10.2, tvOS 10.1 are vulnerable. Apple Safari is a web browser that comes with the default browser on the Mac OS X and iOS operating systems; iTunes is a suite of media player applications. WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. ==========================================================================
Ubuntu Security Notice USN-3191-1
February 06, 2017
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.10.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3191-1
CVE-2016-7586, CVE-2016-7589, CVE-2016-7592, CVE-2016-7599,
CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639,
CVE-2016-7641, CVE-2016-7645, CVE-2016-7652, CVE-2016-7654,
CVE-2016-7656
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.04.1
.
CVE-2016-7632: Jeonghoon Shin
Windows Security
Available for: Windows 7 and later
Impact: A local user may be able to leak sensitive user information
Description: The iCloud desktop client failed to clear sensitive
information in memory.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.3 >= 2.16.3
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.3:4"
References
==========
[ 1 ] CVE-2015-2330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2330
[ 2 ] CVE-2015-7096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7096
[ 3 ] CVE-2015-7098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7098
[ 4 ] CVE-2016-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723
[ 5 ] CVE-2016-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724
[ 6 ] CVE-2016-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725
[ 7 ] CVE-2016-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726
[ 8 ] CVE-2016-1727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727
[ 9 ] CVE-2016-1728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728
[ 10 ] CVE-2016-4692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
[ 11 ] CVE-2016-4743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
[ 12 ] CVE-2016-7586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
[ 13 ] CVE-2016-7587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
[ 14 ] CVE-2016-7589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
[ 15 ] CVE-2016-7592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
[ 16 ] CVE-2016-7598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
[ 17 ] CVE-2016-7599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
[ 18 ] CVE-2016-7610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
[ 19 ] CVE-2016-7611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
[ 20 ] CVE-2016-7623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
[ 21 ] CVE-2016-7632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
[ 22 ] CVE-2016-7635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
[ 23 ] CVE-2016-7639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
[ 24 ] CVE-2016-7640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
[ 25 ] CVE-2016-7641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
[ 26 ] CVE-2016-7642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
[ 27 ] CVE-2016-7645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
[ 28 ] CVE-2016-7646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
[ 29 ] CVE-2016-7648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
[ 30 ] CVE-2016-7649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
[ 31 ] CVE-2016-7652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
[ 32 ] CVE-2016-7654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
[ 33 ] CVE-2016-7656
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
[ 34 ] CVE-2016-9642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9642
[ 35 ] CVE-2016-9643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9643
[ 36 ] CVE-2017-2350
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
[ 37 ] CVE-2017-2354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
[ 38 ] CVE-2017-2355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
[ 39 ] CVE-2017-2356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
[ 40 ] CVE-2017-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
[ 41 ] CVE-2017-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
[ 42 ] CVE-2017-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
[ 43 ] CVE-2017-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
[ 44 ] CVE-2017-2366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
[ 45 ] CVE-2017-2367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2367
[ 46 ] CVE-2017-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
[ 47 ] CVE-2017-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
[ 48 ] CVE-2017-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
[ 49 ] CVE-2017-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2376
[ 50 ] CVE-2017-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2377
[ 51 ] CVE-2017-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2386
[ 52 ] CVE-2017-2392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2392
[ 53 ] CVE-2017-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2394
[ 54 ] CVE-2017-2395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2395
[ 55 ] CVE-2017-2396
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2396
[ 56 ] CVE-2017-2405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2405
[ 57 ] CVE-2017-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2415
[ 58 ] CVE-2017-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2419
[ 59 ] CVE-2017-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2433
[ 60 ] CVE-2017-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2442
[ 61 ] CVE-2017-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2445
[ 62 ] CVE-2017-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2446
[ 63 ] CVE-2017-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2447
[ 64 ] CVE-2017-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2454
[ 65 ] CVE-2017-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2455
[ 66 ] CVE-2017-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2457
[ 67 ] CVE-2017-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2459
[ 68 ] CVE-2017-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2460
[ 69 ] CVE-2017-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2464
[ 70 ] CVE-2017-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2465
[ 71 ] CVE-2017-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2466
[ 72 ] CVE-2017-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2468
[ 73 ] CVE-2017-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2469
[ 74 ] CVE-2017-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2470
[ 75 ] CVE-2017-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2471
[ 76 ] CVE-2017-2475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2475
[ 77 ] CVE-2017-2476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2476
[ 78 ] CVE-2017-2481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2481
[ 79 ] CVE-2017-2496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496
[ 80 ] CVE-2017-2504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504
[ 81 ] CVE-2017-2505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505
[ 82 ] CVE-2017-2506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506
[ 83 ] CVE-2017-2508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508
[ 84 ] CVE-2017-2510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510
[ 85 ] CVE-2017-2514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514
[ 86 ] CVE-2017-2515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515
[ 87 ] CVE-2017-2521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521
[ 88 ] CVE-2017-2525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525
[ 89 ] CVE-2017-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526
[ 90 ] CVE-2017-2528
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528
[ 91 ] CVE-2017-2530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530
[ 92 ] CVE-2017-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531
[ 93 ] CVE-2017-2536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536
[ 94 ] CVE-2017-2539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539
[ 95 ] CVE-2017-2544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544
[ 96 ] CVE-2017-2547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547
[ 97 ] CVE-2017-2549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549
[ 98 ] CVE-2017-6980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980
[ 99 ] CVE-2017-6984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--NcNxMnppmhackEL27c23XhPLDAAQ7GQcq--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-2 Safari 10.0.2
Safari 10.0.2 is now available and addresses the following:
Safari Reader
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through
improved input sanitization.
CVE-2016-7650: Erling Ellingsen
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroA
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted website may compromise user
information
Description: An issue existed in the handling of blob URLs. This
issue was addressed through improved URL handling.
CVE-2016-7623: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.1
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
Safari 10.0.2 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRGN4UQAJ8QGVJNCoYlvJEY/VHAOQWm
LMm32fidQv1hHsu5fKfCnkhhQkqO97wEFleVJ/SZkrc19ALS5XHuW7HJBvbo84US
JBkp6BUJao8Ye4hgbbpp6bNUB+PUsyJoF8iSF3PjDbXEWbe4T/NM62JUcmlDsGAl
YR7euBKRBXGAnm9sJWdBa3pbXfSwhCVeSZYY61SIr85Jkq8r7e5vFHqoW+9Anh7G
3Q51BqI5o+c6CwdylQAHfJigmfcOW0zrzYH4CviRwgMpI3ikqGij4sLXuoDZA2f0
YDMIAovRyBVlY7IRHOIQbUKW4I5bqBDcVOAGA11jHI6QjQjUWbVOC05pxLnF8pLB
4CbYTSqlYRaosJHncsvG9m+8pClik9eNleJaYJ7dPghnTtvoWYysi9rlvyWk3x9e
5u1fLgHjcHkF68iTWRC6DYDwiZZeFnMIl+gXApCe0f4uoZMtyOY5tWdwvlVEpGJz
lbL6uGX748Cg68JupyWnrcIXZiLrw/YujS+tRgsLyNhTTy1SObTQwqp0jZ89y1g7
+535ZJk/AyR9rWcBVcldrINQ0R4iqZoa1npwwAd/b0ItZgzFPzz5RPGltl2syTvp
3hNGv5HeJqFGND2Apn5/pLD/n9gMMROCkQx2ooFAEehZ1BJE3WJXaDBMEy6jtfK2
OmgDKgbTexNtFNMI1qBE
=cycU
-----END PGP SIGNATURE-----
| VAR-201702-0219 | CVE-2016-7620 | Apple macOS of IOSurface Vulnerability in component critical kernel memory layout information retrieval |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOSurface" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within IOSurface. The process does not properly validate user-supplied data which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges under the context of the kernel. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. IOSurface is one of the programming framework components
| VAR-201702-0217 | CVE-2016-7618 | Apple macOS of Foundation Arbitrary code execution vulnerabilities in components |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Foundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .gcx file. Apple macOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, obtain sensitive information, gain elevated privileges or cause a denial-of-service condition. Foundation is one of the base layer components that defines Objective-C classes
| VAR-201702-0216 | CVE-2016-7617 | Apple macOS of Bluetooth Component vulnerable to arbitrary code execution in privileged context |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (type confusion) via a crafted app. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the handling of the AppleBroadcomBluetoothHostController kext. The issue results from the lack of proper validation of user-supplied data which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges under the context of the kernel. Apple macOS is prone to multiple security vulnerabilities
| VAR-201702-0242 | CVE-2016-7644 | plural Apple Vulnerability in the kernel component of a product that allows arbitrary code execution in privileged contexts |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. Apple iOS is an operating system developed for mobile devices; watchOS is an operating system for smart watches. The following products and versions are affected: Apple iOS prior to 10.2; macOS Sierra prior to 10.12.2; watchOS prior to 3.1.3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-01-23-3 watchOS 3.1.3
watchOS 3.1.3 is now available and addresses the following:
Accounts
Available for: All Apple Watch models
Impact: Uninstalling an app did not reset the authorization settings
Description: An issue existed which did not reset the authorization
settings on app uninstall. This issue was addressed through improved
sanitization.
CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro
Audio
Available for: All Apple Watch models
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7658: Haohao Kong of Keen Lab (@keen_lab) of Tencent
CVE-2016-7659: Haohao Kong of Keen Lab (@keen_lab) of Tencent
Auto Unlock
Available for: All Apple Watch models
Impact: Auto Unlock may unlock when Apple Watch is off the user's
wrist
Description: A logic issue was addressed through improved state
management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd
CoreFoundation
Available for: All Apple Watch models
Impact: Processing maliciously crafted strings may lead to an
unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
strings. This issue was addressed through improved bounds checking.
CVE-2016-7663: an anonymous researcher
CoreGraphics
Available for: All Apple Watch models
Impact: Processing a maliciously crafted font file may lead to
unexpected application termination
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-7627: TRAPMINE Inc. & Meysam Firouzi @R00tkitSMM
CoreMedia Playback
Available for: All Apple Watch models
Impact: Processing a maliciously crafted .mp4 file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-7588: dragonltx of Huawei 2012 Laboratories
CoreText
Available for: All Apple Watch models
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-2016-7616: daybreaker@Minionz working with Trend Micro's Zero Day
Initiative
FontParser
Available for: All Apple Watch models
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-2016-4691: riusksk(ae3aY=) of Tencent Security Platform
Department
FontParser
Available for: All Apple Watch models
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A buffer overflow existed in the handling of font files.
This issue was addressed through improved bounds checking.
CVE-2016-4688: Simon Huang of Alipay company,
thelongestusernameofall@gmail.com
ICU
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-7594: AndrA(c) Bargull
ImageIO
Available for: All Apple Watch models
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-7591: daybreaker of Minionz
IOKit
Available for: All Apple Watch models
Impact: An application may be able to read kernel memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7657: Keen Lab working with Trend Micro's Zero Day
Initiative
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2016-7606: Chen Qin of Topsec Alpha Team (topsec.com), @cocoahuke
CVE-2016-7612: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read kernel memory
Description: An insufficient initialization issue was addressed by
properly initializing memory returned to user space.
CVE-2016-7607: Brandon Azad
Kernel
Available for: All Apple Watch models
Impact: A local user may be able to cause a system denial of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2016-7615: The UK's National Cyber Security Centre (NCSC)
Kernel
Available for: All Apple Watch models
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A use after free issue was addressed through improved
memory management.
CVE-2016-7621: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-7644: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2360: Ian Beer of Google Project Zero
libarchive
Available for: All Apple Watch models
Impact: A local attacker may be able to overwrite existing files
Description: A validation issue existed in the handling of symlinks.
This issue was addressed through improved validation of symlinks.
CVE-2016-7619: an anonymous researcher
libarchive
Available for: All Apple Watch models
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo
Profiles
Available for: All Apple Watch models
Impact: Opening a maliciously crafted certificate may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
certificate profiles. This issue was addressed through improved input
validation.
CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com)
Security
Available for: All Apple Watch models
Impact: An attacker may be able to exploit weaknesses in the 3DES
cryptographic algorithm
Description: 3DES was removed as a default cipher.
CVE-2016-4693: GaA<<tan Leurent and Karthikeyan Bhargavan from INRIA
Paris
Security
Available for: All Apple Watch models
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: A validation issue existed in the handling of OCSP
responder URLs. This issue was addressed by verifying OCSP revocation
status after CA validation and limiting the number of OCSP requests
per certificate.
CVE-2016-7636: Maksymilian Arciemowicz (cxsecurity.com)
Security
Available for: All Apple Watch models
Impact: Certificates may be unexpectedly evaluated as trusted
Description: A certificate evaluation issue existed in certificate
validation. This issue was addressed through additional validation of
certificates.
CVE-2016-7662: Apple
syslog
Available for: All Apple Watch models
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed
through improved validation.
CVE-2016-7660: Ian Beer of Google Project Zero
WebKit
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
WebKit
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: Multiple validation issues existed in the handling of
page loading. This issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYgqLhAAoJEIOj74w0bLRGGHoQAN1fT/3R7qBCadclKXvxfs49
97/3sMt5Daw9EQjmw7/ye3Xc4lMR7rw5swBlKJDsKahn3qu95nhPk+zbxBW1jmeQ
1W6yr+SQoYZURxQoQ30qmyNQgEBjmk+nJlUN3SE8feibfGdRJBIHNDho9XBeRqvU
Bv64p1IRx8jo+YL98qCt3YZIcsR33e/mdpxVX+HJzCu/gXiEW4vma6Bpn6QOji0C
xY4hebFBdLdZXgDvmcqvz89BUfVM9Sk3gC92wpPPMRVKom1R9cuLAEUA2Xiuendy
VL7oHlERk+jChy/qRVmeVtk8l5fETNN5jFm1w39jWSt8BgZopshEhfRTYBPxiYxL
9Ah7PYfwyZWUj1VTwbnvdec44CQBX2/XIITfThPjX79811lJ65iS4PmNAvXAPAzF
mfKq9/94KB02StTMaVQMxQo3798PdjmW882SoAK0M5GHhf8e7wRAi6Tge7g5zPEe
cG+rcCdNqwH+7StQJnW1keHcU5GWPESFNSYiGVtbkGi5/KKUPbqsMFCpf4AiGQbK
nE9HOaS1qSkThvet0H+68Ec1UAGTWhXkNbIyxJGAutQnETzOJF97nb8elOzZK1MN
C6Liplz1bpGjNO9sXljdRh6KYThmDM7oy3NoJXhY9Rwy3LnJinIp0iEis9IMkHdA
YQ7bZyojEtZl7UHDHJVE
=RfaO
-----END PGP SIGNATURE-----