[<prev] [next>] [day] [month] [year] [list]
Message-id: <03D073E5-6DD7-40E7-B4AD-DC390A051433@lists.apple.com>
Date: Tue, 24 Mar 2020 15:19:00 -0700
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: Apple Product Security via Security-announce
<security-announce@...ts.apple.com>
Subject: [FD] APPLE-SA-2020-03-24-6 iTunes for Windows 12.10.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-03-24-6 iTunes for Windows 12.10.5
iTunes for Windows 12.10.5 is now available and addresses the
following:
libxml2
Available for: Windows 7 and later
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3910: LGTM.com
libxml2
Available for: Windows 7 and later
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-3901: Benjamin Randazzo (@____benjamin)
WebKit
Available for: Windows 7 and later
Impact: A download's origin may be incorrectly associated
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3887: Ryan Pickren (ryanpickren.com)
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3895: grigoritchy
CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech
WebKit
Available for: Windows 7 and later
Impact: An application may be able to read restricted memory
Description: A race condition was addressed with additional
validation.
CVE-2020-3894: Sergei Glazunov of Google Project Zero
WebKit
Available for: Windows 7 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s
Zero Day Initiative
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9783: Apple
WebKit
Available for: Windows 7 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2020-3899: found by OSS-Fuzz
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)
WebKit Page Loading
Available for: Windows 7 and later
Impact: A file URL may be incorrectly processed
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3885: Ryan Pickren (ryanpickren.com)
Additional recognition
WebKit
We would like to acknowledge Emilio Cobos Álvarez of Mozilla, Samuel
Groß of Google Project Zero, and an anonymous researcher for their
assistance.
Installation note:
iTunes for Windows 12.10.5 may be obtained from:
https://www.apple.com/itunes/download/
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.64
iQIcBAEDCAAGBQJeejDYAAoJEAc+Lhnt8tDN1/QP/iLf1EZKWPsH8W908AiHXb3/
0tqn/iO2ZQ0VhAeMQrtjORhJJlekam4fxpZbsYt4xtjcga1ad8IN7tpTsLCYwEQD
sw1/izjkYUj/eRGeX7CEswN7GHfsA4ilR4kH07x6adD17J7PDaCQ81l/Cf/KiGY5
hvqD8DUuVrMCmbyRF9ldJ/DaGLYKN2gh/fRZZm8CmbmQ8BDtLa18SEGUjMmOXAuo
y+f/2H7hgCbWg5OdNzVxEJ2U34nEGIhURDIst5f6+RDQCfYXWGfj8sXXKFGnKCSI
1byaJS+yH4UUURCqVbucw+K6EmUO1brnB0A8g+RvfXd/uic1n91xRs5V7doXsoAq
M9GqQcSnm9dfjjF6g4xAPpyJNEUOhMHzb6ZWdBQGhAGdMdjTUlXPDY0dgQgZL6Jh
rNkzaaUJEv+SOJfFvB3pYyfsmnReBtfxgOTnCXZZdEfn4b/4NhqBZocekjJCd7N3
bPY+fVzvVplXaszwipKaeT/hnQFtlAItND+tPrEagtV0gpPX4RaiYfxKnJ1JojvM
YM1y3SFU4jaZkeEA2/J33NSV1kigxBxHO8eLCG2eGivotL2HNzHzBi3GLg2W2oXI
6M1DaBkSmolD3T2eTiYsyQh2dTnjjNInN+HKLEUbenwHOzYgdoJt41fpzO0vYezH
v9gKNIRdet2XQFFTnhvv
=dwLs
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists