VARIoT IoT vulnerabilities database

Huawei E3276s USB modems with software before E3276s-150TCPU-V200R002B436D09SP00C00 allow man-in-the-middle attackers to intercept, spoof, or modify network traffic via unspecified vectors related to a fake network. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. HuaweiE3276sUSBmodems is a USB modem product from China's Huawei company. Huawei E3276s is prone to an unspecified security-bypass vulnerability. Successfully exploiting this issue may allow attackers to perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. Huawei E3276s E3276s-150TCPU-V200R002B250D04SP00C00 is vulnerable

Huawei Quidway S9700, S5700, S5300, S9300, and S7700 switches with software before V200R003SPH012 allow remote attackers to cause a denial of service (switch restart) via crafted traffic. Huawei S9300, S5700, S5300, S9300, and S7700 are all S series switches of Huawei. There are security vulnerabilities in various HuaweiQuidway switches. Multiple Huawei Quidway S-Series Switches are prone to a denial-of-service vulnerability. Huawei Quidway S9700, S5700, S5300, S9300, and S7700 are all S-series switch products of China's Huawei (Huawei). The following products and versions are affected: Huawei Quidway S9700, S5700, S5300, S9300, and S7700 using software versions earlier than V200R003SPH012

Cross-site scripting (XSS) vulnerability in McAfee Email Gateway (MEG) 7.6.x before 7.6.404, when File Filtering is enabled with the action set to ESERVICES:REPLACE, allows remote attackers to inject arbitrary web script or HTML via an attachment in a blocked email. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. McAfee Email Gateway 7.6 is vulnerable; other versions may also be affected. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more

Cross-site request forgery (CSRF) vulnerability on NEC Aterm WG300HP devices allows remote attackers to hijack the authentication of arbitrary users. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be performed. NECAtermWG300HP is a wireless router product from NEC. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Aterm WG300HP is vulnerable; other versions may also be affected

Cross-site request forgery (CSRF) vulnerability on NEC Aterm WF800HP devices with firmware 1.0.17 and earlier allows remote attackers to hijack the authentication of arbitrary users. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be performed. NECAtermWF800HP is a wireless router product from NEC. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Aterm WF800HP 1.0.17 is vulnerable; other versions may also be affected

Cisco FireSIGHT System Software 5.4.0 through 6.0.1 and ASA with FirePOWER Services 5.4.0 through 6.0.0.1 allow remote attackers to bypass malware protection via crafted fields in HTTP headers, aka Bug ID CSCux22726. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCux22726. A remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to bypass malicious file detection or blocking policies. The following devices and versions are affected: Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services Version 5.4.0 to Version 6.0.0.1, Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances, Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances, FirePOWER 7000 Series Appliances, FirePOWER 8000 Series Appliances, FirePOWER Threat Defense for Integrated Services Routers(ISRs), Next Generation Intrusion Prevention System (NGIPS) for Blue Coat X-Series, Sourcefire Next 3D System Appliances, Virt -Generation Intrusion Prevention System (NGIPSv) for VMware

Cross-site scripting (XSS) vulnerability in Cisco Unified Communications Domain Manager (CDM) 8.1(1) allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCux80760. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCux80760. This component features scalable, distributed, and highly available enterprise Voice over IP call processing. A cross-site scripting vulnerability exists in CUCDM version 8.1(1)

Buffer overflow in lib/flow.c in ovs-vswitchd in Open vSwitch 2.2.x and 2.3.x before 2.3.3 and 2.4.x before 2.4.1 allows remote attackers to execute arbitrary code via crafted MPLS packets, as demonstrated by a long string in an ovs-appctl command. Open vSwitch is prone to multiple remote buffer-overflow vulnerabilities because it fails to adequately bounds check user-supplied data before copying it into an insufficiently sized buffer. Successful exploits may allow attackers to execute arbitrary code or cause denial-of-service conditions. It supports large-scale network automation, standard management interfaces and protocols, etc. through programming extensions. The following versions are affected: OVS Version 2.2.x, Version 2.3.x, Version 2.4.x. Background ========== Open vSwitch is a production quality multilayer virtual switch. Workaround ========== There is no known workaround at this time. Resolution ========== All Open vSwitch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openvswitch-2.5.0" References ========== [ 1 ] CVE-2016-2074 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2074 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-07 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --FOwRaKoxFb5txc6jCpaFu8xVgvCjK1wAH-- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openvswitch security update Advisory ID: RHSA-2016:0615-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2016:0615 Issue date: 2016-04-11 CVE Names: CVE-2016-2074 ===================================================================== 1. Summary: Updated openvswitch packages that fix one security issue are now available for Red Hat OpenShift Enterprise 3.1. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Enterprise 3.1 - noarch, x86_64 3. Description: OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. A buffer overflow flaw was discovered in the OVS processing of MPLS labels. A remote attacker able to deliver a frame containing a malicious MPLS label that would be processed by OVS could trigger the flaw and use the resulting memory corruption to cause a denial of service (DoS) or, possibly, execute arbitrary code. (CVE-2016-2074) Red Hat would like to thank the Open vSwitch Project for reporting these issues. Upstream acknowledges Kashyap Thimmaraju and Bhargava Shastry as the original reporters of CVE-2016-2074. This update includes the following images: openshift3/openvswitch:v3.1.1.6-9 aep3_beta/openvswitch:v3.1.1.6-9 openshift3/node:v3.1.1.6-16 aep3_beta/node:v3.1.1.6-16 All openvswitch users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1318553 - CVE-2016-2074 openvswitch: MPLS buffer overflow vulnerability 6. Package List: Red Hat OpenShift Enterprise 3.1: Source: openvswitch-2.4.0-2.el7_2.src.rpm noarch: openvswitch-test-2.4.0-2.el7_2.noarch.rpm python-openvswitch-2.4.0-2.el7_2.noarch.rpm x86_64: openvswitch-2.4.0-2.el7_2.x86_64.rpm openvswitch-debuginfo-2.4.0-2.el7_2.x86_64.rpm openvswitch-devel-2.4.0-2.el7_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2074 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXDKHJXlSAg2UNWIIRArVMAJ9kWC3bedooegoZ6ADWrLKD9xKzCQCfUQmK /IpUBYvFD22Fc2VwgoAoq2g= =EyZn -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . For the stable distribution (jessie), this problem has been fixed in version 2.3.0+git20140819-3+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 2.3.0+git20140819-4. We recommend that you upgrade your openvswitch packages. Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic

Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call. PHP is prone to a denial-of-service vulnerability. Successful exploits may allow the attacker to crash the affected application resulting in denial-of-service condition. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems. An integer overflow vulnerability exists in the 'the mbfl_strcut' function in PHP's ext/mbstring/libmbfl/mbfl/mbfilter.c file. The following versions are affected: PHP prior to 5.5.34, 5.6.x prior to 5.6.20, and 7.x prior to 7.0.5. ============================================================================ Ubuntu Security Notice USN-2984-1 May 24, 2016 php5, php7.0 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in PHP. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865) Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly handled certain malformed Zip archives. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3078) It was discovered that PHP incorrectly handled invalid indexes in the SplDoublyLinkedList class. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3132) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4070) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4071) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4072) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4073) It was discovered that the PHP phar extension incorrectly handled certain archive files. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-4342, CVE-2016-4343) It was discovered that the PHP bcpowmod() function incorrectly handled memory. (CVE-2016-4537, CVE-2016-4538) It was discovered that the PHP XML parser incorrectly handled certain malformed XML data. (CVE-2016-4539) It was discovered that certain PHP grapheme functions incorrectly handled negative offsets. (CVE-2016-4540, CVE-2016-4541) It was discovered that PHP incorrectly handled certain malformed EXIF tags. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.4-7ubuntu2.1 php7.0-cgi 7.0.4-7ubuntu2.1 php7.0-cli 7.0.4-7ubuntu2.1 php7.0-fpm 7.0.4-7ubuntu2.1 Ubuntu 15.10: libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.4 php5-cgi 5.6.11+dfsg-1ubuntu3.4 php5-cli 5.6.11+dfsg-1ubuntu3.4 php5-fpm 5.6.11+dfsg-1ubuntu3.4 Ubuntu 14.04 LTS: libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.17 php5-cgi 5.5.9+dfsg-1ubuntu4.17 php5-cli 5.5.9+dfsg-1ubuntu4.17 php5-fpm 5.5.9+dfsg-1ubuntu4.17 Ubuntu 12.04 LTS: libapache2-mod-php5 5.3.10-1ubuntu3.23 php5-cgi 5.3.10-1ubuntu3.23 php5-cli 5.3.10-1ubuntu3.23 php5-fpm 5.3.10-1ubuntu3.23 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-php56 security, bug fix, and enhancement update Advisory ID: RHSA-2016:2750-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2750.html Issue date: 2016-11-15 CVE Names: CVE-2013-7456 CVE-2014-9767 CVE-2015-2325 CVE-2015-2326 CVE-2015-2327 CVE-2015-2328 CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 CVE-2015-8381 CVE-2015-8383 CVE-2015-8384 CVE-2015-8385 CVE-2015-8386 CVE-2015-8388 CVE-2015-8391 CVE-2015-8392 CVE-2015-8395 CVE-2015-8835 CVE-2015-8865 CVE-2015-8866 CVE-2015-8867 CVE-2015-8873 CVE-2015-8874 CVE-2015-8876 CVE-2015-8877 CVE-2015-8879 CVE-2016-1903 CVE-2016-2554 CVE-2016-3074 CVE-2016-3141 CVE-2016-3142 CVE-2016-4070 CVE-2016-4071 CVE-2016-4072 CVE-2016-4073 CVE-2016-4342 CVE-2016-4343 CVE-2016-4473 CVE-2016-4537 CVE-2016-4538 CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 CVE-2016-5093 CVE-2016-5094 CVE-2016-5096 CVE-2016-5114 CVE-2016-5399 CVE-2016-5766 CVE-2016-5767 CVE-2016-5768 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 CVE-2016-6128 CVE-2016-6207 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 ===================================================================== 1. Summary: An update for rh-php56, rh-php56-php, and rh-php56-php-pear is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The rh-php56 packages provide a recent stable release of PHP with PEAR 1.9.5 and enhanced language features including constant expressions, variadic functions, arguments unpacking, and the interactive debuger. The memcache, mongo, and XDebug extensions are also included. The rh-php56 Software Collection has been upgraded to version 5.6.25, which provides a number of bug fixes and enhancements over the previous version. (BZ#1356157, BZ#1365401) Security Fixes in the rh-php56-php component: * Several Moderate and Low impact security issues were found in PHP. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-7456, CVE-2014-9767, CVE-2015-8835, CVE-2015-8865, CVE-2015-8866, CVE-2015-8867, CVE-2015-8873, CVE-2015-8874, CVE-2015-8876, CVE-2015-8877, CVE-2015-8879, CVE-2016-1903, CVE-2016-2554, CVE-2016-3074, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4342, CVE-2016-4343, CVE-2016-4473, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-5093, CVE-2016-5094, CVE-2016-5096, CVE-2016-5114, CVE-2016-5399, CVE-2016-5766, CVE-2016-5767, CVE-2016-5768, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6128, CVE-2016-6207, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132) * Multiple flaws were found in the PCRE library included with the rh-php56-php packages for Red Hat Enterprise Linux 6. (CVE-2015-2325, CVE-2015-2326, CVE-2015-2327, CVE-2015-2328, CVE-2015-3210, CVE-2015-3217, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395) Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-3074, CVE-2016-4473, and CVE-2016-5399. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1207198 - CVE-2015-2325 pcre: heap buffer overflow in compile_branch() 1207202 - CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23) 1228283 - CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11) 1237223 - CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18) 1260716 - CVE-2014-9767 php: ZipArchive::extractTo allows for directory traversal when creating directories 1285399 - CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20) 1285408 - CVE-2015-2327 pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19) 1287614 - CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group (8.38/3) 1287623 - CVE-2015-3210 CVE-2015-8384 pcre: buffer overflow caused by recursive back reference by name within certain group (8.38/4) 1287629 - CVE-2015-8385 pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30) 1287636 - CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion (8.38/6) 1287671 - CVE-2015-8391 pcre: inefficient posix character class syntax check (8.38/16) 1287690 - CVE-2015-8392 pcre: buffer overflow caused by patterns with duplicated named groups with (?| (8.38/27) 1287711 - CVE-2015-8381 CVE-2015-8395 pcre: Buffer overflow caused by duplicate named references (8.38/36) 1297710 - CVE-2016-5114 php: out-of-bounds write in fpm_log.c 1297717 - CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated 1305536 - CVE-2016-4342 php: use of uninitialized pointer in PharFileInfo::getContent 1305543 - CVE-2016-2554 php: buffer overflow in handling of long link names in tar phar archives 1315312 - CVE-2016-3142 php: Out-of-bounds read in phar_parse_zipfile() 1315328 - CVE-2016-3141 php: Use after free in WDDX Deserialize when processing XML data 1321893 - CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd 1323074 - CVE-2015-8835 php: type confusion issue in Soap Client call() method 1323103 - CVE-2016-4073 php: Negative size parameter in memcpy 1323106 - CVE-2016-4072 php: Invalid memory write in phar on filename containing \0 inside name 1323108 - CVE-2016-4071 php: Format string vulnerability in php_snmp_error() 1323114 - CVE-2016-4070 php: Integer overflow in php_raw_url_encode 1323118 - CVE-2015-8865 file: Buffer over-write in finfo_open with malformed magic file 1330418 - CVE-2015-8866 php: libxml_disable_entity_loader setting is shared between threads 1330420 - CVE-2015-8867 php: openssl_random_pseudo_bytes() is not cryptographically secure 1332454 - CVE-2016-4343 php: Uninitialized pointer in phar_make_dirstream() 1332860 - CVE-2016-4537 CVE-2016-4538 php: bcpowmod accepts negative scale causing heap buffer overflow corrupting _one_ definition 1332865 - CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input 1332872 - CVE-2016-4540 CVE-2016-4541 php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used 1332877 - CVE-2016-4539 php: xml_parse_into_struct() can crash when XML parser is re-used 1336772 - CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow 1336775 - CVE-2015-8873 php: Stack consumption vulnerability in Zend/zend_exceptions.c 1338896 - CVE-2015-8876 php: Zend/zend_exceptions.c does not validate certain Exception objects 1338907 - CVE-2015-8877 gd: gdImageScaleTwoPass function in gd_interpolation.c uses inconsistent allocate and free approaches 1338912 - CVE-2015-8879 php: odbc_bindcols function mishandles driver behavior for SQL_WVARCHAR columns 1339590 - CVE-2016-5093 php: improper nul termination leading to out-of-bounds read in get_icu_value_internal 1339949 - CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread 1340433 - CVE-2013-7456 gd: incorrect boundary adjustment in _gdContributionsCalc 1340738 - CVE-2016-5094 php: Integer overflow in php_html_entities() 1347772 - CVE-2016-4473 php: Invalid free() instead of efree() in phar_extract_file() 1351068 - CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow 1351069 - CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow 1351168 - CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec 1351171 - CVE-2016-5770 php: Int/size_t confusion in SplFileObject::fread 1351173 - CVE-2016-5771 php: Use After Free Vulnerability in PHP's GC algorithm and unserialize 1351175 - CVE-2016-5772 php: Double Free Corruption in wddx_deserialize 1351179 - CVE-2016-5773 php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize 1351603 - CVE-2016-6128 gd: Invalid color index not properly handled 1358395 - CVE-2016-5399 php: Improper error handling in bzread() 1359698 - CVE-2016-6289 php: Integer overflow leads to buffer overflow in virtual_file_ex 1359710 - CVE-2016-6290 php: Use after free in unserialize() with Unexpected Session Deserialization 1359718 - CVE-2016-6291 php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE 1359756 - CVE-2016-6292 php: Null pointer dereference in exif_process_user_comment 1359800 - CVE-2016-6207 php,gd: Integer overflow error within _gdContributionsAlloc() 1359811 - CVE-2016-6294 php: Out-of-bounds access in locale_accept_from_http 1359815 - CVE-2016-6295 php: Use after free in SNMP with GC and unserialize() 1359822 - CVE-2016-6296 php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c 1359828 - CVE-2016-6297 php: Stack-based buffer overflow vulnerability in php_stream_zip_opener 1360322 - CVE-2016-6288 php: Buffer over-read in php_url_parse_ex 1374697 - CVE-2016-7124 php: bypass __wakeup() in deserialization of an unexpected object 1374698 - CVE-2016-7125 php: Session Data Injection Vulnerability 1374699 - CVE-2016-7126 php: select_colors write out-of-bounds 1374701 - CVE-2016-7127 php: imagegammacorrect allows arbitrary write access 1374704 - CVE-2016-7128 php: Memory Leakage In exif_process_IFD_in_TIFF 1374705 - CVE-2016-7129 php: wddx_deserialize allows illegal memory access 1374707 - CVE-2016-7130 php: wddx_deserialize null dereference 1374708 - CVE-2016-7131 php: wddx_deserialize null dereference with invalid xml 1374711 - CVE-2016-7132 php: wddx_deserialize null dereference in php_wddx_pop_element 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-php56-2.3-1.el6.src.rpm rh-php56-php-5.6.25-1.el6.src.rpm rh-php56-php-pear-1.9.5-4.el6.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el6.noarch.rpm x86_64: rh-php56-2.3-1.el6.x86_64.rpm rh-php56-php-5.6.25-1.el6.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm rh-php56-php-common-5.6.25-1.el6.x86_64.rpm rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm rh-php56-php-process-5.6.25-1.el6.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm rh-php56-runtime-2.3-1.el6.x86_64.rpm rh-php56-scldevel-2.3-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: rh-php56-2.3-1.el6.src.rpm rh-php56-php-5.6.25-1.el6.src.rpm rh-php56-php-pear-1.9.5-4.el6.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el6.noarch.rpm x86_64: rh-php56-2.3-1.el6.x86_64.rpm rh-php56-php-5.6.25-1.el6.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm rh-php56-php-common-5.6.25-1.el6.x86_64.rpm rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm rh-php56-php-process-5.6.25-1.el6.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm rh-php56-runtime-2.3-1.el6.x86_64.rpm rh-php56-scldevel-2.3-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-php56-2.3-1.el6.src.rpm rh-php56-php-5.6.25-1.el6.src.rpm rh-php56-php-pear-1.9.5-4.el6.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el6.noarch.rpm x86_64: rh-php56-2.3-1.el6.x86_64.rpm rh-php56-php-5.6.25-1.el6.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm rh-php56-php-common-5.6.25-1.el6.x86_64.rpm rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm rh-php56-php-process-5.6.25-1.el6.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm rh-php56-runtime-2.3-1.el6.x86_64.rpm rh-php56-scldevel-2.3-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-7456 https://access.redhat.com/security/cve/CVE-2014-9767 https://access.redhat.com/security/cve/CVE-2015-2325 https://access.redhat.com/security/cve/CVE-2015-2326 https://access.redhat.com/security/cve/CVE-2015-2327 https://access.redhat.com/security/cve/CVE-2015-2328 https://access.redhat.com/security/cve/CVE-2015-3210 https://access.redhat.com/security/cve/CVE-2015-3217 https://access.redhat.com/security/cve/CVE-2015-5073 https://access.redhat.com/security/cve/CVE-2015-8381 https://access.redhat.com/security/cve/CVE-2015-8383 https://access.redhat.com/security/cve/CVE-2015-8384 https://access.redhat.com/security/cve/CVE-2015-8385 https://access.redhat.com/security/cve/CVE-2015-8386 https://access.redhat.com/security/cve/CVE-2015-8388 https://access.redhat.com/security/cve/CVE-2015-8391 https://access.redhat.com/security/cve/CVE-2015-8392 https://access.redhat.com/security/cve/CVE-2015-8395 https://access.redhat.com/security/cve/CVE-2015-8835 https://access.redhat.com/security/cve/CVE-2015-8865 https://access.redhat.com/security/cve/CVE-2015-8866 https://access.redhat.com/security/cve/CVE-2015-8867 https://access.redhat.com/security/cve/CVE-2015-8873 https://access.redhat.com/security/cve/CVE-2015-8874 https://access.redhat.com/security/cve/CVE-2015-8876 https://access.redhat.com/security/cve/CVE-2015-8877 https://access.redhat.com/security/cve/CVE-2015-8879 https://access.redhat.com/security/cve/CVE-2016-1903 https://access.redhat.com/security/cve/CVE-2016-2554 https://access.redhat.com/security/cve/CVE-2016-3074 https://access.redhat.com/security/cve/CVE-2016-3141 https://access.redhat.com/security/cve/CVE-2016-3142 https://access.redhat.com/security/cve/CVE-2016-4070 https://access.redhat.com/security/cve/CVE-2016-4071 https://access.redhat.com/security/cve/CVE-2016-4072 https://access.redhat.com/security/cve/CVE-2016-4073 https://access.redhat.com/security/cve/CVE-2016-4342 https://access.redhat.com/security/cve/CVE-2016-4343 https://access.redhat.com/security/cve/CVE-2016-4473 https://access.redhat.com/security/cve/CVE-2016-4537 https://access.redhat.com/security/cve/CVE-2016-4538 https://access.redhat.com/security/cve/CVE-2016-4539 https://access.redhat.com/security/cve/CVE-2016-4540 https://access.redhat.com/security/cve/CVE-2016-4541 https://access.redhat.com/security/cve/CVE-2016-4542 https://access.redhat.com/security/cve/CVE-2016-4543 https://access.redhat.com/security/cve/CVE-2016-4544 https://access.redhat.com/security/cve/CVE-2016-5093 https://access.redhat.com/security/cve/CVE-2016-5094 https://access.redhat.com/security/cve/CVE-2016-5096 https://access.redhat.com/security/cve/CVE-2016-5114 https://access.redhat.com/security/cve/CVE-2016-5399 https://access.redhat.com/security/cve/CVE-2016-5766 https://access.redhat.com/security/cve/CVE-2016-5767 https://access.redhat.com/security/cve/CVE-2016-5768 https://access.redhat.com/security/cve/CVE-2016-5770 https://access.redhat.com/security/cve/CVE-2016-5771 https://access.redhat.com/security/cve/CVE-2016-5772 https://access.redhat.com/security/cve/CVE-2016-5773 https://access.redhat.com/security/cve/CVE-2016-6128 https://access.redhat.com/security/cve/CVE-2016-6207 https://access.redhat.com/security/cve/CVE-2016-6288 https://access.redhat.com/security/cve/CVE-2016-6289 https://access.redhat.com/security/cve/CVE-2016-6290 https://access.redhat.com/security/cve/CVE-2016-6291 https://access.redhat.com/security/cve/CVE-2016-6292 https://access.redhat.com/security/cve/CVE-2016-6294 https://access.redhat.com/security/cve/CVE-2016-6295 https://access.redhat.com/security/cve/CVE-2016-6296 https://access.redhat.com/security/cve/CVE-2016-6297 https://access.redhat.com/security/cve/CVE-2016-7124 https://access.redhat.com/security/cve/CVE-2016-7125 https://access.redhat.com/security/cve/CVE-2016-7126 https://access.redhat.com/security/cve/CVE-2016-7127 https://access.redhat.com/security/cve/CVE-2016-7128 https://access.redhat.com/security/cve/CVE-2016-7129 https://access.redhat.com/security/cve/CVE-2016-7130 https://access.redhat.com/security/cve/CVE-2016-7131 https://access.redhat.com/security/cve/CVE-2016-7132 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYKvj4XlSAg2UNWIIRAqg2AKCB6Jcysv4gkiktKAJA3gy+RKlAqwCeJpjs UCuj+0gWfBsWXOgFhgH0uL8= =FcPG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05240731 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05240731 Version: 1 HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-08-19 Last Updated: 2016-08-19 Potential Security Impact: Local Denial of Service (DoS), Elevation of Privilege, Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Disclosure of Information, Unauthorized Modification Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Multiple potential remote and local vulnerabilities impacting Perl and PHP have been addressed by HPE NonStop Servers OSS Script Languages. The vulnerabilities include Perl's opportunistic loading of optional modules which might allow local users to gain elevation of privilege via a Trojan horse library under the current working directory. References: - CVE-2016-1238 - Perl Local Elevation of Privilege - CVE-2016-2381 - Perl Remote Unauthorized Modification - CVE-2014-4330 - Perl Local Denial of Service (DoS) **Note:** applies only for the H/J-series SPR. Fix was already provided in a previous L-series SPR. OSS Script Languages (T1203) T1203H01 through T1203H01^AAD, T1203L01 and T1203L01^AAC *Impacted releases:* - L15.02 - L15.08.00, L15.08.01 - L16.05.00 - J06.14 through J06.16.02 - J06.17.00, J06.17.01 - J06.18.00, J06.18.01 - J06.19.00, J06.19.01, J06.19.02 - J06.20.00 - H06.25 through H06.26.01 - H06.27.00, H06.27.01 - H06.28.00, H06.28.01 - H06.29.00, H06.29.01 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2013-7456 7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2014-4330 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2015-8383 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8386 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8387 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8389 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8390 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8391 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C) CVE-2015-8393 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2015-8394 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8607 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8853 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2015-8865 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8874 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-1238 6.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) CVE-2016-1903 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE-2016-2381 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-2554 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-3074 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4070 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-4071 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4072 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4073 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4342 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C) CVE-2016-4343 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4537 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4538 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4539 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4540 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4541 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4542 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4543 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4544 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5093 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5094 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5096 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5114 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE-2016-5766 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-5767 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-5768 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5769 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5770 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5771 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5772 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5773 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has released the following software updates to resolve the vulnerabilities in NonStop Servers OSS Script Languages running Perl and PHP. Install one of the SPRs below as appropriate for the system's release version: + L-Series: * T1203L01^AAE (OSS Scripting Languages) - already available This SPR already is present in these RVUs: None This SPR is usable with the following RVUs: - L15.02 through L16.05.00 + H and J-Series: * T1203H01^AAF (OSS Scripting Languages) - already available This SPR already is present in these RVUs: None This SPR is usable with the following RVUs: - J06.14 through J06.20.00 - H06.25 through H06.29.01 **Note:** Please refer to *NonStop Hotstuff HS03333* for more information. HISTORY Version:1 (rev.1) - 19 August 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3560-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-8865 CVE-2016-4070 CVE-2016-4071 CVE-2016-4072 CVE-2016-4073 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. Please refer to the upstream changelog for more information: https://php.net/ChangeLog-5.php#5.6.20 For the stable distribution (jessie), these problems have been fixed in version 5.6.20+dfsg-0+deb8u1. We recommend that you upgrade your php5 packages. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.6.28 >= 5.6.28 Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev=lang/php-5.6.28" References ========== [ 1 ] CVE-2015-8865 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865 [ 2 ] CVE-2016-3074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074 [ 3 ] CVE-2016-4071 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071 [ 4 ] CVE-2016-4072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072 [ 5 ] CVE-2016-4073 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073 [ 6 ] CVE-2016-4537 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537 [ 7 ] CVE-2016-4538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538 [ 8 ] CVE-2016-4539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539 [ 9 ] CVE-2016-4540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540 [ 10 ] CVE-2016-4541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541 [ 11 ] CVE-2016-4542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542 [ 12 ] CVE-2016-4543 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543 [ 13 ] CVE-2016-4544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544 [ 14 ] CVE-2016-5385 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385 [ 15 ] CVE-2016-6289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6289 [ 16 ] CVE-2016-6290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6290 [ 17 ] CVE-2016-6291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6291 [ 18 ] CVE-2016-6292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6292 [ 19 ] CVE-2016-6294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6294 [ 20 ] CVE-2016-6295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6295 [ 21 ] CVE-2016-6296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6296 [ 22 ] CVE-2016-6297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6297 [ 23 ] CVE-2016-7124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7124 [ 24 ] CVE-2016-7125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7125 [ 25 ] CVE-2016-7126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7126 [ 26 ] CVE-2016-7127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7127 [ 27 ] CVE-2016-7128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7128 [ 28 ] CVE-2016-7129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7129 [ 29 ] CVE-2016-7130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7130 [ 30 ] CVE-2016-7131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7131 [ 31 ] CVE-2016-7132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7132 [ 32 ] CVE-2016-7133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7133 [ 33 ] CVE-2016-7134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7134 [ 34 ] CVE-2016-7411 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7411 [ 35 ] CVE-2016-7412 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7412 [ 36 ] CVE-2016-7413 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7413 [ 37 ] CVE-2016-7414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7414 [ 38 ] CVE-2016-7416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7416 [ 39 ] CVE-2016-7417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7417 [ 40 ] CVE-2016-7418 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7418 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201611-22 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

SQL injection vulnerability in Huawei Policy Center with software before V100R003C10SPC020 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to system databases. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Huawei Policy Center is a set of policy management center software of China Huawei (Huawei). The software provides functions such as visitor management and customized Portal login interface

Cogent DataHub before 7.3.10 allows local users to gain privileges by leveraging the user or guest role to modify a file. Cogent Real-Time Systems Cogent DataHub is a real-time data solution from Cogent Real-Time Systems of Canada, which is part of SCADA (Data Acquisition and Monitoring Control System) and automation software. An elevation of privilege vulnerability exists in Cogent Real-Time Systems Cogent DataHub 7.3.9 and earlier. An attacker could exploit the vulnerability to gain elevated privileges. Cogent DataHub 7.3.9 and prior are vulnerable

Cisco IOS 15.0 through 15.5 and IOS XE 3.3 through 3.16 allow remote attackers to cause a denial of service (device reload) via a crafted DHCPv6 Relay message, aka Bug ID CSCus55821. Both Cisco IOS and IOSXESoftware are operating systems developed by Cisco for its network devices. Successful exploits may allow attackers to cause the device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCus55821

The IKEv2 implementation in Cisco IOS 15.0 through 15.6 and IOS XE 3.3 through 3.17 allows remote attackers to cause a denial of service (device reload) via fragmented packets, aka Bug ID CSCux38417. Both Cisco IOS and IOSXESoftware are operating systems developed by Cisco for its network devices. A security vulnerability exists in the fragmentation code for the IKE2 version in CiscoIOS and IOSXESoftware because the program failed to properly handle fragmented IKEv2 packets. A remote attacker could exploit the vulnerability by sending a specially crafted UDP packet to cause a denial of service. This issue is being tracked by Cisco Bug ID CSCux38417. Note: The traffic only to the directed system can be exploited by this issue. The vulnerability can be triggered by IPv4 and IPv6 traffic

The Smart Install client implementation in Cisco IOS 12.2, 15.0, and 15.2 and IOS XE 3.2 through 3.7 allows remote attackers to cause a denial of service (device reload) via crafted image list parameters in a Smart Install packet, aka Bug ID CSCuv45410. Both Cisco IOS and IOSXESoftware are operating systems developed by Cisco for its network devices. This issue is being tracked by Cisco Bug ID CSCuv45410. The following products and versions are affected: Cisco IOS Release 12.2, Release 15.0, Release 15.2, IOS XE Release 3.2 through Release 3.7

Cisco IOS 15.3 and 15.4, Cisco IOS XE 3.8 through 3.11, and Cisco Unified Communications Manager allow remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCuj23293. Vendors have confirmed this vulnerability Bug ID CSCuj23293 It is released as.Malformed by a third party SIP Service disruption via message ( Device reload ) There is a possibility of being put into a state. An attacker can exploit this issue to cause the device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug IDs CSCuj23293 and CSCuv39370. Session Initiation Protocol (SIP) is one of the session initiation protocols. There are security vulnerabilities in the SIP protocol of several Cisco products. The following products and versions are affected: Cisco IOS Release 15.3, Release 15.4, IOS XE Release 3.8 to Release 3.11, CUCM Release 8.x, Release 9.x, Release 10.x, Release 11.x

The Locator/ID Separation Protocol (LISP) implementation in Cisco IOS 15.1 and 15.2 and NX-OS 4.1 through 6.2 allows remote attackers to cause a denial of service (device reload) via a crafted header in a packet, aka Bug ID CSCuu64279. Cisco IOS and Cisco NX-OS are network operating systems that run on Cisco's switch products. A remote attacker could exploit the vulnerability by sending a malformed LISP packet to the UDP4341 port. An attacker can exploit this issue to reload the affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug IDs CSCuu64279 and CSCuv11993. Locator/ID Separation Protocol (LISP) is one of the routing frameworks that provides new semantics for IP addresses

The Wide Area Application Services (WAAS) Express implementation in Cisco IOS 15.1 through 15.5 allows remote attackers to cause a denial of service (device reload) via a crafted TCP segment, aka Bug ID CSCuq59708. Cisco IOS is an operating system developed by Cisco Systems for its network devices. CiscoWideAreaApplicationServicesExpress is a product of CiscoWAAS based on IOS and integrated into the router to provide application acceleration and reduce WAN bandwidth costs. Cisco IOS Software is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to reload the affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuq59708

The SCP and SFTP modules in Cisco IOS XR 5.0.0 through 5.2.5 on Network Convergence System 6000 devices use weak permissions for system files, which allows remote authenticated users to cause a denial of service (overwrite) via unspecified vectors, aka Bug ID CSCuw75848. Vendors have confirmed this vulnerability Bug ID CSCuw75848 It is released as.Service disruption by remotely authenticated user ( Overwrite ) There is a possibility of being put into a state. The Cisco IOSXRforCiscoNCS6000 is a Cisco network operating system running on the NCS6000 series of routers. A security vulnerability exists in the SCP and SFTP modules in the Cisco IOSXR Software 5.0.0 to 5.2.5 versions of the Cisco NCS6000 due to the program's failure to properly set the path to include the system files. A remote attacker could exploit the vulnerability to overwrite system files, causing a denial of service. Cisco IOS XR Software is prone to a remote denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCuw75848. Note: This issue was previously titled 'Cisco Network Convergence System 6000 Series Routers Remote Denial of Service Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected. Both Secure Copy Protocol (SCP) and Secure FTP (SFTP) are among the security protocol modules. The vulnerability is caused by the program not properly setting permissions for paths containing system files

Web Server in Apple OS X Server before 5.1 supports the RC4 algorithm, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. Web Server is one of the Web servers. The vulnerability is caused by the program supporting the RC4 algorithm. A remote attacker could exploit this vulnerability to compromise the confidentiality protection mechanism. CVE-2016-7627: TRAPMINE Inc. These issues were addressed by updating to curl version 7.51.0. CVE-2016-1777: Pepi Zawodsky OpenPAM Available for: macOS Sierra 10.12.1 Impact: A local unprivileged user may gain access to privileged applications Description: PAM authentication within sandboxed applications failed insecurely. This issue was addressed by verifying OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate. CVE-2016-7636: Maksymilian Arciemowicz (cxsecurity.com) Security Available for: macOS Sierra 10.12.1 Impact: Certificates may be unexpectedly evaluated as trusted Description: A certificate evaluation issue existed in certificate validation. Alternatively, on your watch, select "My Watch > General > About". CVE-ID CVE-2016-1787 : an anonymous researcher OS X Server 5.1 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-10-30-8 Additional information for APPLE-SA-2018-9-24-4 iOS 12 iOS 12 addresses the following: Accounts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local app may be able to read a persistent account identifier Description: This issue was addressed with improved entitlements. CVE-2018-4322: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. Auto Unlock Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to access local users AppleIDs Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. Bluetooth Available for: iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2018-5383: Lior Neumann and Eli Biham CFNetwork Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 CoreFoundation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4412: The UK's National Cyber Security Centre (NCSC) Entry added October 30, 2018 CoreFoundation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4414: The UK's National Cyber Security Centre (NCSC) Entry added October 30, 2018 CoreMedia Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An app may be able to learn information about the current camera view before being granted camera access Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2018-4356: an anonymous researcher CoreText Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2018-4347: an anonymous researcher Entry added October 30, 2018 Crash Reporter Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4333: Brandon Azad Grand Central Dispatch Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4426: Brandon Azad Entry added October 30, 2018 Heimdal Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4331: Brandon Azad CVE-2018-4332: Brandon Azad CVE-2018-4343: Brandon Azad Entry added October 30, 2018 iBooks Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information Description: A configuration issue was addressed with additional restrictions. CVE-2018-4355: evi1m0 of bilibili security team Entry added October 30, 2018 IOHIDFamily Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation CVE-2018-4408: Ian Beer of Google Project Zero Entry added October 30, 2018 IOKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4341: Ian Beer of Google Project Zero CVE-2018-4354: Ian Beer of Google Project Zero Entry added October 30, 2018 IOKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2018-4383: Apple Entry added October 30, 2018 IOMobileFrameBuffer Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4335: Brandon Azad IOUserEthernet Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4401: Apple Entry added October 30, 2018 iTunes Store Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to spoof password prompts in the iTunes Store Description: An input validation issue was addressed with improved input validation. CVE-2018-4305: Jerry Decime Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to leak sensitive user information Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions. CVE-2018-4399: Fabiano Anemone (@anoane) Entry added October 30, 2018 Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An input validation issue existed in the kernel. This issue was addressed with improved input validation. CVE-2018-4363: Ian Beer of Google Project Zero Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: A memory corruption issue was addressed with improved validation. CVE-2018-4407: Kevin Backhouse of Semmle Ltd. Entry added October 30, 2018 Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4336: Brandon Azad CVE-2018-4337: Ian Beer of Google Project Zero CVE-2018-4340: Mohamed Ghannam (@_simo36) CVE-2018-4344: The UK's National Cyber Security Centre (NCSC) CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 mDNSOffloadUserClient Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team Entry added October 30, 2018 MediaRemote Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions. CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs Entry added October 30, 2018 Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover a user's deleted messages Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of message deletions. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU) Notes Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover a user's deleted notes Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of notes deletions. CVE-2018-4352: Utku Altinkaynak Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover websites a user has visited Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of application snapshots. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may be unable to delete browsing history items Description: Clearing a history item may not clear visits with redirect chains. The issue was addressed with improved data deletion. CVE-2018-4329: Hugo S. Diaz (coldpointblue) SafariViewController Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4362: Jun Kokatsu (@shhnjk) Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to exfiltrate autofilled data in Safari Description: A logic issue was addressed with improved state management. CVE-2018-4307: Rafay Baloch of Pakistan Telecommunications Authority Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2018-4395: Patrick Wardle of Digita Security Entry added October 30, 2018 Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: This issue was addressed by removing RC4. CVE-2016-1777: Pepi Zawodsky Status Bar Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to determine the last used app from the lock screen Description: A logic issue was addressed with improved restrictions. CVE-2018-4325: Brian Adeloye Symptom Framework Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 Text Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-4304: jianan.huang (@Sevck) Entry added October 30, 2018 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4299: Samuel GroI2 (saelo) working with Trend Micro's Zero Day Initiative CVE-2018-4323: Ivan Fratric of Google Project Zero CVE-2018-4328: Ivan Fratric of Google Project Zero CVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative CVE-2018-4359: Samuel GroA (@5aelo) CVE-2018-4360: William Bowling (@wcbowling) Entry added October 30, 2018 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may cause unexepected cross-origin behavior Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. CVE-2018-4319: John Pettitt of Google WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2018-4197: Ivan Fratric of Google Project Zero CVE-2018-4306: Ivan Fratric of Google Project Zero CVE-2018-4312: Ivan Fratric of Google Project Zero CVE-2018-4314: Ivan Fratric of Google Project Zero CVE-2018-4315: Ivan Fratric of Google Project Zero CVE-2018-4317: Ivan Fratric of Google Project Zero CVE-2018-4318: Ivan Fratric of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may exfiltrate image data cross-origin Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. CVE-2018-4345: an anonymous researcher WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Unexpected interaction causes an ASSERT failure Description: A memory corruption issue was addressed with improved validation. CVE-2018-4191: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Cross-origin SecurityErrors includes the accessed frame's origin Description: The issue was addressed by removing origin information. CVE-2018-4311: Erling Alf Ellingsen (@steike) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to execute scripts in the context of another website Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Unexpected interaction causes an ASSERT failure Description: A memory consumption issue was addressed with improved memory handling. CVE-2018-4361: found by OSS-Fuzz Additional recognition APFS We would like to acknowledge Umang Raghuvanshi for their assistance. Assets We would like to acknowledge Brandon Azad for their assistance. configd We would like to acknowledge Sabri Haddouche (@pwnsdx) of Wire Swiss GmbH for their assistance. Core Data We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. CoreSymbolication We would like to acknowledge Brandon Azad for their assistance. Exchange ActiveSync We would like to acknowledge Jesse Thompson of University of Wisconsin-Madison for their assistance. Feedback Assistant We would like to acknowledge Marco Grassi (@marcograss) of KeenLab (@keen_lab) Tencent working with Trend Micro's Zero Day Initiative for their assistance. Kernel We would like to acknowledge Brandon Azad for their assistance. Mail We would like to acknowledge Alessandro Avagliano of Rocket Internet SE, Gunnar Diepenbruck, and Zbyszek A>>A3Akiewski for their assistance. MediaRemote We would like to acknowledge Brandon Azad for their assistance. Quick Look We would like to acknowledge lokihardt of Google Project Zero for their assistance. Safari We would like to acknowledge Marcel Manz of SIMM-Comm GmbH and Vlad Galbin for their assistance. Sandbox Profiles We would like to acknowledge Tencent Keen Security Lab working with Trend Micro's Zero Day Initiative for their assistance. Security We would like to acknowledge Christoph Sinai, Daniel Dudek (@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak) of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson Ding, and an anonymous researcher for their assistance. SQLite We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. Status Bar We would like to acknowledge Ju Zhu of Meituan and Moony Li and Lilang Wu of Trend Micro for their assistance. WebKit We would like to acknowledge Cary Hartline, Hanming Zhang from 360 Vuclan team, Tencent Keen Security Lab working with Trend Micro's Zero Day Initiative, and Zach Malone of CA Technologies for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3HbuA// ZOEwXUyLVS3SqfEjU3MRUoTp1x+Ow+fd5co9B6v7bY+Ebc2KmSZjpPuNPjouRHmf RbWpZ0Mc52NYm+OdYqPu/Tg94wRi6tlrYusk6GngVH4IBER4TqiFrLNSzAjXL0xP qWv3JQcAIFNbNWpSEzDzEbuq85q4BIuP/+v2LpTc1ZWqIYt9TQHxUpyjoTXZvQhL 8L9ZM/dj8BC+m713LeC/KzveaDpaqnVJUDbgUkzRyFfFqOJt+hlaTS8yMUM3G+TX cblL8bvFNIxtUrt4Rf2TwDRVxUZIw/aFK2APmxVZ44UAT+2o+WFxBkHRXQiZc4Lk OaTzzkocdZu4q4MibrxELBWtW46AcGMqQKUpFZ6GR+4U2c1ICRwKnjQTn0iY7mg7 d+M+bTx8T2knwV7lSwvnHz79rysvOuCF3QCAZ4tW4PvLHWSZ0TpJho8z23PLHFQd J3cOYPby6SM9YP6SBISX5OI8xnvr1XIAPIBnOy0ScaMFsu0Er8j1hvbF1fXiaYOJ CSUUXR2th3jPW0g9L0j4vWGURG1h0psIN2MxTSHbmm4KXBAYngZ0wDOeJMUe8YMy IG0UBDqKNh8lzKHcc4aYA1WyaNsqbgbngBqDATp/XyWRzd+Py/U06MVuIaV095Rv s9WW67M1kLHy4BeutXt+xLBp9AugI+gU53uysxcnBx4= =dGPm -----END PGP SIGNATURE-----

The kernel in Apple iOS before 9.3, tvOS before 9.2, and watchOS before 2.2 does not properly restrict the execute permission, which allows attackers to bypass a code-signing protection mechanism via a crafted app. Apple iOS, tvOS, and watchOS are all products of Apple Inc. in the United States. Apple iOS is an operating system developed for mobile devices; tvOS is a smart TV operating system; watchOS is a smart watch operating system. Kernel is one of the kernel components. There are security vulnerabilities in the kernels of several Apple products, which stem from the fact that programs do not properly restrict executable permissions. The following products and versions are affected: Apple iOS versions prior to 9.3, tvOS versions prior to 9.2, and watchOS versions prior to 2.2. CVE-ID CVE-2016-1722 : Joshua J. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-03-21-1 iOS 9.3 iOS 9.3 is now available and addresses the following: AppleUSBNetworking Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the parsing of data from USB devices. This issue was addressed through improved input validation. CVE-ID CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path FontParser Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-ID CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro's Zero Day Initiative (ZDI) HTTPProtocol Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0. CVE-ID CVE-2015-8659 IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to determine kernel memory layout Description: A memory corruption issue was addressed through improved memory handling. CVE-ID CVE-2016-1748 : Brandon Azad Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to cause a denial of service Description: A denial of service issue was addressed through improved validation. CVE-ID CVE-2016-1752 : CESG Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-ID CVE-2016-1750 : CESG Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple integer overflows were addressed through improved input validation. CVE-ID CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero Day Initiative (ZDI) Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to bypass code signing Description: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed through improved permission validation. CVE-ID CVE-2016-1751 : Eric Monti of Square Mobile Security Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition existed during the creation of new processes. This was addressed through improved state handling. CVE-ID CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaça Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-ID CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2016-1755 : Ian Beer of Google Project Zero Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-ID CVE-2016-1758 : Brandon Azad LaunchServices Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may be able to modify events from other applications Description: An event handler validation issue existed in the XPC Services API. This issue was addressed through improved message validation. CVE-ID CVE-2016-1760 : Proteas of Qihoo 360 Nirvan Team libxml2 Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2015-1819 CVE-2015-5312 : David Drysdale of Google CVE-2015-7499 CVE-2015-7500 : Kostya Serebryany of Google CVE-2015-7942 : Kostya Serebryany of Google CVE-2015-8035 : gustavo.grieco CVE-2015-8242 : Hugh Davenport CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day Initiative (ZDI) CVE-2016-1762 Messages Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may auto-fill text into other Message threads Description: An issue existed in the parsing of SMS URLs. This issue was addressed through improved URL validation. CVE-ID CVE-2016-1763 : CityTog Messages Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments Description: A cryptographic issue was addressed by rejecting duplicate messages on the client. CVE-ID CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University Profiles Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An untrusted MDM profile may be incorrectly displayed as verified Description: A certificate validation issue existed in MDM profiles. This was addressed through additional checks. CVE-ID CVE-2016-1766 : Taylor Boyko working with Trend Micro's Zero Day Initiative (ZDI) Security Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation. CVE-ID CVE-2016-1950 : Francis Gabriel of Quarkslab TrueTypeScaler Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI) WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1778 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI) CVE-2016-1783 : Mihai Parparita of Google WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A website may be able to track sensitive user information Description: An issue existed in the handling of attachment URLs. This issue was addressed through improved URL handling. CVE-ID CVE-2016-1781 : Devdatta Akhawe of Dropbox, Inc. WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A website may be able to track sensitive user information Description: A hidden web page may be able to access device- orientation and device-motion data. This issue was addressed by suspending the availability of this data when the web view is hidden. CVE-ID CVE-2016-1780 : Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao of the School of Computing Science, Newcastle University, UK WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may reveal a user's current location Description: An issue existed in the parsing of geolocation requests. This was addressed through improved validation of the security origin for geolocation requests. CVE-ID CVE-2016-1779 : xisigr of Tencent's Xuanwu Lab (http://www.tencent.com) WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious website may be able to access restricted ports on arbitrary servers Description: A port redirection issue was addressed through additional port validation. CVE-ID CVE-2016-1782 : Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd. WebKit History Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A resource exhaustion issue was addressed through improved input validation. CVE-ID CVE-2016-1784 : Moony Li and Jack Tang of TrendMicro and 李普君 of 无声信息技术PKAV Team (PKAV.net) WebKit Page Loading Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a malicious website may lead to user interface spoofing Description: Redirect responses may have allowed a malicious website to display an arbitrary URL and read cached contents of the destination origin. This issue was addressed through improved URL display logic. CVE-ID CVE-2016-1786 : ma.la of LINE Corporation WebKit Page Loading Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious website may exfiltrate data cross-origin Description: A caching issue existed with character encoding. This was addressed through additional request checking. CVE-ID CVE-2016-1785 : an anonymous researcher Wi-Fi Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may be able to execute arbitrary code Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling. CVE-ID CVE-2016-0801 : an anonymous researcher CVE-2016-0802 : an anonymous researcher Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "9.3 ". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJW8JPyAAoJEBcWfLTuOo7tWzQP/i8AwdkoE9uvhfe5X5p1yDxr YVcAkvHAgWzNee9Tvc6ERa2KWdOkmbVRGzySyG62lhGnrUTSMtlCs0/Bp/Ui5p65 FF2viREhDJNA83WZcsFP0ELZVJ5VwUv6BJR0L0ERn7QSfaftAwVSFmyHHURA7rGj IRQWnwD6IOblI0veLXjJjN8nPY2ueAzVvyv5mD8c4MdCxwxZNi2X9ugtIBBbZr6Y arjAVh/wfB0m+f50feDaPvo/8mZDn1UwrDu0YPtGDmGebgX17TE39q0YgOFf0uXv HzA0S1+mDURGR3h+7wpyO25+uOPHyGkeIA1GVISA2O7pmHKTcY5pvWC4zyIsDfRC ziI4AIml9ySY7nIltuUWeUdO81nHrjvEtXyWZ6VBH4Dah4yne80B04UGgLIzD1ON hTlTySVnMBJ8+N0g+e3ldGTuf49ISEKh9s6u+ABtBi9+sDSiWxGIkvNuZN37522O dK4MsAZIffxbKo2DuJxiWrfIzhAOO3rZbRD8oFkOtKh5QHlS1eOBlN29U9S1Cq+P jZ/sffscri8q9m8KUx4a+1HG3N6TDIJtIz7/jJyTld2Aw+1JAlU4DG41t1lkEs6S 41wah3j9YrqXCp2uc3JmcI6k2XW2pj73T9Mqqz5e/xk2sfwnJ299dAK7vXkGR3ix Fg29LzTb0eQ9Ub1Mkn5E =Ouex -----END PGP SIGNATURE-----