APPLE-SA-2016-12-12-2 watchOS 3.1.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-12-12-2 watchOS 3.1.1 watchOS 3.1.1 is now available and addresses the following: Accounts Available for: All Apple Watch models Impact: An issue existed which did not reset the authorization settings on app uninstall Description: This issue was addressed through improved sanitization. CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro Profiles Available for: All Apple Watch models Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation. CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com) Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYTiRQAAoJEIOj74w0bLRGF7gP/Ai6yr5v+PBxDWHtEksBs3es eroQA8hmzgvrF3zm7DOfRvJyvAKhIczxCdx9hebIIvbRFRkQkwdYPaTaLqO29iWH xdY8FN6QCMSVvE5/yVhAUCcEfyE9V9u1uQlvzMUMZh/5rkxtwko+Ubegtw/X8O6Z n+ldjlAGViBvhthNQXTq2JSmo9sROcLvgo2kCKwL9adgxU2H9YqBksjbrcY37zHd Lq3dz/JhN30JmkPH/u/ksm94BOZAUVyGym1wfDERMSioObac6nmXr3cZ4dUM7dat 5pVZ35SNCWkARIeDSVIpdD+h94/NoyIfmPrPv4zTPjXMHEeqQYvnfpYFSewHPr0s kzdNKpjnI3Ytx8Tjtlpq0n0pJehbSlhr2UgGSWZCIso6Ew5siEI0vvz7YyI2AtRJ Ch/yZvaUWGNt4qhjUxYfBSyrS0upG0pVP43jgi9RHXF/kSD72Ek08DDI/uDn/v5Q P16yBIogYNCq79M1S3POoDy5uQlqF9fKouxV+wlquBfLFsDm03Utiewgw3mwC5vc zEy1bYVW/OPKslfBgQv3OTCpVcMocs1N4hIrcTxXke1l4VbHXflopaiz/tF1T86o s4qaTu3kAyS6dB55sftI1AtqUA7taMUJ1iOgCpSI+e6xBocz3xUQm+r5yNf53sC3 Krj4IV2NhP4HVlVu2V3X =Qt14 -END PGP SIGNATURE-
APPLE-SA-2016-12-12-3 tvOS 10.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-12-12-3 tvOS 10.1 tvOS 10.1 is now available and addresses the following: Profiles Available for: Apple TV (4th generation) Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation. CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com) Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software.” To check the current version of software, select "Settings -> General -> About.” Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYTiTTAAoJEIOj74w0bLRGDOQP/AjOyZHSqMpBr3qMVmPJs78g 5VFELv8tFrNQ4co/JNdIbREQSzD4qWC/JydzpStwr3NJF0Nk29J4HepsAQ4Yqr4b 9OYDmtQ4MC/pIAinptopCFlNTMUOpzucqVji7uQg+ED7gH9e/RmFkUg3PdIZDn/t jlf0XMpc9DvR/SWoJ5XbymvPkhLDZ2NsBw2yMf1NRJF3YUeSgTCvSXuhZeavS4Dj GBg9tPNzH/nCBPzTlAySP29T+kWOpoPQzp+ETlkX2I5y5eosa6Hj43A4limDqkUW RyoqzwqJIsB01u80Ey1XgivDR94dxkt6XpD4GMe89bOypt2KY+YShHkaH8ScCjx7 DrROuW4vP+R8+M6G53MUoLJ/ppVOqHjJXm6YQImDk5KNL2oHW7FE2c6nfuP/LtMY 5kLyV8WSFeb4gsM3SgGCpH92wgI25Jr9WcRkvbB9bOd3Esn1suq58+BniB7BlxmR 8YPDnD8yP+DwRa6Y7DNpWiziXEelIirNKKYph30nJSi4MWkAxr1TIDjbPDE/jk3Z TiHl1NMjm0kT77YHW2K/TSxt6HjO5F5fQNR6KwFhfE9h+0xPF/KDlQ6kpDcz+LbN pBWkeypfvHh1pE3eU4hic/Rnl+EiGcyACQtRKSS2OZ3RcZ3IN5VxLE8+TOyH5dlW LYEQpFgylfUFPWTJteSY =9V+M -END PGP SIGNATURE-
APPLE-SA-2016-12-12-1 iOS 10.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-12-12-1 iOS 10.2 iOS 10.2 is now available and addresses the following: Accessibility Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: A nearby user may be able to overhear spoken passwords Description: A disclosure issue existed in the handling of passwords. This issue was addressed by disabling the speaking of passwords. CVE-2016-7634: Davut Hari Accessibility Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: A person with physical access to an iOS device may be able to access photos and contacts from the lock screen Description: A lock screen issue allowed access to photos and contacts on a locked device. This issue was addressed by restricting options offered on a locked device. CVE-2016-7664: Miguel Alvarado of iDeviceHelp Accounts Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: An issue existed which did not reset the authorization settings on app uninstall Description: This issue was addressed through improved sanitization. CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro Find My iPhone Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: An attacker with an unlocked device may be able to disable Find My iPhone Description: A state management issue existed in the handling of authentication information. This issue was addressed through improved storage of account information. CVE-2016-7638: Sezer Sakiner, an anonymous researcher Graphics Driver Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: Watching a maliciously crafted video may lead to a denial of service Description: A denial of service issue existed in the handling of video. This issue was addressed through improved input validation. CVE-2016-7665: Moataz El Gaml of Schlumberger, an anonymous researcher Image Capture Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: A malicious HID device may be able to cause arbitrary code execution Description: A validation issue existed in the handling of USB image devices. This issue was addressed through improved input validation. CVE-2016-4690: Andy Davis of NCC Group Local Authentication Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: The device may not lock the screen after the idle timeout Description: A logic issue existed in the handling of the idle timer when the Touch ID prompt is shown. This issue was addressed through improved handling of the idle timer. CVE-2016-7601: an anonymous researcher Mail Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: An email signed with a revoked certificate may appear valid Description: S/MIME policy failed to check if a certificate was valid. This issue was addressed by notifying a user if an email was signed with a revoked certificate. CVE-2016-4689: an anonymous researcher Media Player Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: A user may be able to view photos and contacts from the lockscreen Description: A validation issue existed in the handling of media selection. This issue was addressed through improved validation. CVE-2016-7653 Profiles Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation. CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com) SpringBoard Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: A person with physical access to an iOS device may be able to unlock the device Description: In some cases, a counter issue existed in the handling of passcode attempts when resetting the passcode. This was addressed through improved state management. CVE-2016-4781: an anonymous researcher SpringBoard Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: A person with physical access to an iOS device may be able to keep the device unlocked Description: A cleanup issue existed in the handling of Handoff with Siri. This was addressed through improved state management. CVE-2016-7597: an anonymous researcher Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet con
[SECURITY] CVE-2016-8745 Apache Tomcat Information Disclosure
CVE-2016-8745 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M13 Apache Tomcat 8.5.0 to 8.5.8 Earlier versions are not affected. Description The refactoring of the Connector code for 8.5.x onwards introduced a regression in the error handling of the send file code for the NIO HTTP connector. An error during send file processing resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. Mitigation Users of the NIO HTTP connector with the affected versions should apply one of the following mitigations - Switch to the NIO2 HTTP or APR HTTP connector - Disable send file - Upgrade to Apache Tomcat 9.0.0.M15 or later (Apache Tomcat 9.0.0.M14 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.9 or later Credit: This issue was reported publicly as Bug 60409 [1] and the security implications identified by the Tomcat security team. References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html
[SECURITY] [DSA 3730-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3730-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 11, 2016 https://www.debian.org/security/faq - - Package: icedove CVE ID : CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074 CVE-2016-9079 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail client: Multiple memory safety errors, same-origin policy bypass issues, integer overflows, buffer overflows and use-after-frees may lead to the execution of arbitrary code or denial of service. For the stable distribution (jessie), these problems have been fixed in version 1:45.5.1-1~deb8u1. For the unstable distribution (sid), these problems have been fixed in version 1:45.5.1-1 or earlier. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlhNeSBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TethAAhm36AZCty9KUOtfTeXCrgfaFahBzWlQ21CZg7zwVI3IWvhulei7SEWop t84BGmnEZ3hJ26/yQf/Bi0wwpn1WRKe3wX3Hm7PDVqYngYEeNEjY90FdtjqRqSBL nIKAQjT5kZp9sh+O2+HZUwjGenfmvNOY2EYZ7If8abQ7aO7FLDRKuY72XcVfgLSv J/uDE6X/RZk4sJqfr+ObpHtp3hkGlaYHCsB+p2pros4xW60gZVDVltPX10ICXS9+ plBLUMhdKLux5dIj90TvnxB6SOYu0u+Jahjf6owMNJoRIwwW/KvNc99szTWs/X0H M9fdBBmLdNh/6IhRAYiym/HLNyt44rxShvSOTPOU4eKzG4O9gDEpSNmlh9+WIOtN cbDZ0S7OzEdfuW/74AVI4XNlqFL3SzHS2kqDAAYBjlsMbt0O5Ep6DpO8UZIbEiz+ 97ohaD0wM/Lg/l4sNStUuJzg1P4HEPae4+lk2UiKO3Ty3xSRzYDbqAWYlwkDwr2V X2QHzR0iaMapjPWdrOIBd4c1tG8HLIG44FNeJvEglC7kdgNuUTUG641TAqkKV1iR YyO5vd22RuNBQ0ryAKUx//TfMRgJTdN9QwWth6TcBj88dhLKBQGeRe8D4j66kwE8 bsEIlMP6Dpb3sgyjbGLQP4xVGmYrvtzbNKN3JZwzhr2a9Giqwkw= =19SC -END PGP SIGNATURE-