lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <6672E185-9D3E-4803-B574-2FEEF1B0F938@lists.apple.com>
Date: Tue, 10 Dec 2019 15:55:56 -0800
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: security-announce@...ts.apple.com
Subject: [FD] APPLE-SA-2019-12-10-8 watchOS 6.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2019-12-10-8 watchOS 6.1.1

watchOS 6.1.1 is now available and addresses the following:

CallKit
Available for: Apple Watch Series 1 and later
Impact: Calls made using Siri may be initiated using the wrong
cellular plan on devices with two active plans
Description: An API issue existed in the handling of outgoing phone
calls initiated with Siri. This issue was addressed with improved
state handling.
CVE-2019-8856: Fabrice TERRANCLE of TERRANCLE SARL

CFNetwork Proxies
Available for: Apple Watch Series 1 and later
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team

FaceTime
Available for: Apple Watch Series 1 and later
Impact: Processing malicious video via FaceTime may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8830: Natalie Silvanovich of Google Project Zero

IOUSBDeviceFamily
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8836: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.
and Luyi Xing of Indiana University Bloomington

Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2019-8833: Ian Beer of Google Project Zero

Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8828: Cim Stordal of Cognite
CVE-2019-8838: Dr Silvio Cesare of InfoSect

libexpat
Available for: Apple Watch Series 1 and later
Impact: Parsing a maliciously crafted XML file may lead to disclosure
of user information
Description: This issue was addressed by updating to expat version
2.2.8.
CVE-2019-15903: Joonun Jang

Security
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8832: Insu Yun of SSLab at Georgia Tech

WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8844: William Bowling (@wcbowling)

Additional recognition

Accounts
We would like to acknowledge Kishan Bagaria (KishanBagaria.com) and
Tom Snelling of Loughborough University for their assistance.

Core Data
We would like to acknowledge Natalie Silvanovich of Google Project
Zero for their assistance.

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl3wFr0ACgkQBz4uGe3y
0M3ibQ/+Oe5QaqGIxkCPgm0CR+0Zd+tVtVICpqIIEhtBNQYRAkJlzVlkwLwtJVvu
TUolgK4uRCX2lDCvFh0dI0ZeVtmV+8J/QgngIeFePujHHFFwsEKp8wVMNEqVtf3n
hmp+yzv4Ess05PP5dIcNQHETJzzZMvxD8FFKIbGhqPwbNSWhvvfnD3RaUG9Lnpqc
Fy1v2iXMUeY1zZWJcpin+PmdQUykQTA+yYKcNdZe5iyfZN7eB3NH9ETfRONSuMTj
hX5B3Aw7Vz82Nbcgs4cldi5J/hKgztzJ1WUOaeBCQ8MUtq8Nw89hBmu/ofExlADl
+OmgML4tkBX5+BlcH8e1bSixB6CvccbUdNO64SCim2xklv4LBfSaxAfnTphpY9Er
6WZ+UJPEaKyVFXnhy2awBoWpsPnSsZeQ8EavGOPMf2PihtnUpCBn0FeVjLrdJ+0h
qHzzaSpA8+mhU0lmdPPv1OB8xrXXwHtBVXahUmLZCKWuFwGbGtYX4OvvExWTv44X
w5hGYsr3evRKThEp8VN8xJCkaIOdLYP3XTE1B+ItN0V89EBkK++8rfBL433HgcUQ
R51YvVFiOSHSDLbLHYBCSdTtxNV6rLZPD2KtyElTAiiNckKaKL2h45VE/0YvCRNB
7eAoX1SX111SbJgT8TEn5PhoEMldiS5oAmjleCrgMbj+s+APQV0=
=aeqk
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ