> On 24 Jan 2018, at 7:46 am, Apple Product Security > <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > APPLE-SA-2018-1-23-4 tvOS 11.2.5 > > tvOS 11.2.5 is now available and addresses the following: > > Audio > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: Processing a maliciously crafted audio file may lead to > arbitrary code execution > Description: A memory corruption issue was addressed through improved > input validation. > CVE-2018-4094: Mingi Cho, MinSik Shin, Seoyoung Kim, Yeongho Lee and > Taekyoung Kwon of the Information Security Lab, Yonsei University > > Core Bluetooth > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: An application may be able to execute arbitrary code with > system privileges > Description: A memory corruption issue was addressed with improved > memory handling. > CVE-2018-4087: Rani Idan (@raniXCH) of Zimperium zLabs Team > CVE-2018-4095: Rani Idan (@raniXCH) of Zimperium zLabs Team > > Kernel > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: An application may be able to read restricted memory > Description: A memory initialization issue was addressed through > improved memory handling. > CVE-2018-4090: Jann Horn of Google Project Zero > > Kernel > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: An application may be able to read restricted memory > Description: A race condition was addressed through improved locking. > CVE-2018-4092: an anonymous researcher > > Kernel > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: A malicious application may be able to execute arbitrary code > with kernel privileges > Description: A memory corruption issue was addressed through improved > input validation. > CVE-2018-4082: Russ Cox of Google > > Kernel > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: An application may be able to read restricted memory > Description: A validation issue was addressed with improved input > sanitization. > CVE-2018-4093: Jann Horn of Google Project Zero > > QuartzCore > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: Processing maliciously crafted web content may lead to > arbitrary code execution > Description: A memory corruption issue existed in the processing of > web content. This issue was addressed through improved input > validation. > CVE-2018-4085: Ret2 Systems Inc. working with Trend Micro's Zero Day > Initiative > > Security > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: A certificate may have name constraints applied incorrectly > Description: A certificate evaluation issue existed in the handling > of name constraints. This issue was addressed through improved trust > evaluation of certificates. > CVE-2018-4086: Ian Haken of Netflix > > WebKit > Available for: Apple TV 4K and Apple TV (4th generation) > Impact: Processing maliciously crafted web content may lead to > arbitrary code execution > Description: Multiple memory corruption issues were addressed with > improved memory handling. > CVE-2018-4088: Jeonghoon Shin of Theori > CVE-2018-4089: Ivan Fratric of Google Project Zero > CVE-2018-4096: found by OSS-Fuzz > > Installation note: > > Apple TV will periodically check for software updates. Alternatively, > you may manually check for software updates by selecting > "Settings -> System -> Software Update -> Update Software." > > To check the current version of software, select > "Settings -> General -> About." > > Information will also be posted to the Apple Security Updates > web site: https://support.apple.com/kb/HT201222 > > This message is signed with Apple's Product Security PGP key, > and details are available at: > https://www.apple.com/support/security/pgp/ > -----BEGIN PGP SIGNATURE----- > > iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlpng7kpHHByb2R1Y3Qt > c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEZBpxAA > prOFNgYdkVj5Qho+Ppw6U/d4xQZKS614VPoD5cfOXR4SxOeDL00LxUkAwMLtIgJm > uZI54DR7zaixBoR8Yms4GN2//TgBjG50wvfpuMQiSDP8LZ4WPcHYI/faDFH43yf7 > rLDYYSXv8olAZU6w+sM858zuPjx/C5lqykDIOCPiFIZMY1XpLNhcaEyw0jhUYlYm > t+KLLNyeXAmBRus/rB2WJk8vRYYwBm3Fz2VyKjUVpvc56ZfezmJTT9sfO/2Hbzaw > stduwdsvhGUUpiK/D866xHniJMngTQjOChIjNiP8RG/BaYG/iKejgaVjdOb7ZUsJ > vLbu6ctvg1UOMUHrfIotWOMI3LdJbTbTpjS9kCkLBj+ZO7jE+CKibflph7BDt0ND > Cafdg34DGu2K3bcCL+CMzscWocw0hPkyYWsxuHatJVuXBEfXfFuzioGzU4FHEeDC > tyRH6Fs+divJ23KEssbcieBP2JeA43j/ORjmigZYnAXb4Myge/NT/3eLzrJ9rfbP > J6QyVU6Zv7jzXdxKdzTMPqNH3RFRhK4ukeHUq9S57Oh6oICAXA6mWCJnlLEB0kST > qSunhULsrufCNVJ4KcfOWz5A0wYijbrylmsCSctaHrJs1nkdaZzNTwUZ/IYHP5Le > qApCYj3ugwMg/wpWdqtOYaMYiwglfIxv9xcwpqetH5o= > =7nmT > -----END PGP SIGNATURE----- > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Security-announce mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/security-announce/justin%40screenrights.org > > This email sent to [email protected]
-- **************************************************************************************************************************** Important: this email (including any attachments) is intended only for the addressee(s) and is confidential. It may also contain legally privileged information. If you are not the intended recipient, you are notified that any use, disclosure or dissemination is strictly prohibited. If you have received this email in error, please notify Screenrights immediately by telephone or email and delete all copies of this email. **************************************************************************************************************************** _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/security-announce/archive%40mail-archive.com This email sent to [email protected]
