| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Mar 2016 15:25:39 +0100
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: webkit-gtk@...ts.webkit.org
Cc: bugtraq@...urityfocus.com, oss-security@...ts.openwall.com
Subject: WebKitGTK+ Security Advisory WSA-2016-0002
------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2016-0002
------------------------------------------------------------------------
Date reported : March 11, 2016
Advisory ID : WSA-2016-0002
Advisory URL : http://webkitgtk.org/security/WSA-2016-0002.html
CVE identifiers : CVE-2016-1723, CVE-2016-1724, CVE-2016-1725,
CVE-2016-1726, CVE-2016-1727, CVE-2016-1728.
Several vulnerabilities were discovered on WebKitGTK+.
CVE-2016-1723
Versions affected: WebKitGTK+ before 2.10.5.
Credit to Apple.
WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption) via a crafted web site, a different
vulnerability than CVE-2016-1725 and CVE-2016-1726.
CVE-2016-1724
Versions affected: WebKitGTK+ before 2.10.5.
Credit to Apple.
WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and
tvOS before 9.1.1, allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted web
site, a different vulnerability than CVE-2016-1727.
CVE-2016-1725
Versions affected: WebKitGTK+ before 2.10.5.
Credit to Apple.
WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption) via a crafted web site, a different
vulnerability than CVE-2016-1723 and CVE-2016-1726.
CVE-2016-1726
Versions affected: WebKitGTK+ before 2.10.8.
Credit to Apple.
WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption) via a crafted web site, a different
vulnerability than CVE-2016-1723 and CVE-2016-1725.
CVE-2016-1727
Versions affected: WebKitGTK+ before 2.10.5.
Credit to Apple.
WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and
tvOS before 9.1.1, allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted web
site, a different vulnerability than CVE-2016-1724.
CVE-2016-1728
Versions affected: WebKitGTK+ before 2.10.5.
Credit to an anonymous researcher coordinated via Joe Vennix.
The Cascading Style Sheets (CSS) implementation in Apple iOS before
9.2.1 and Safari before 9.0.3 mishandles the "a:visited button"
selector during height processing, which makes it easier for remote
attackers to obtain sensitive browser-history information via a
crafted web site.
We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
March 11, 2016
Download attachment "signature.asc" of type "application/pgp-signature" (884 bytes)
Powered by blists - more mailing lists