| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Mar 2020 15:18:52 -0700 From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org> To: Apple Product Security via Security-announce <security-announce@...ts.apple.com> Subject: [FD] APPLE-SA-2020-03-24-5 Safari 13.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-03-24-5 Safari 13.1 Safari 13.1 is now available and addresses the following: Safari Downloads Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious iframe may use another website’s download settings Description: A logic issue was addressed with improved restrictions. CVE-2020-9784: Ruilin Yang of Tencent Security Xuanwu Lab, Ryan Pickren (ryanpickren.com) WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2020-3901: Benjamin Randazzo (@____benjamin) WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A download's origin may be incorrectly associated Description: A logic issue was addressed with improved restrictions. CVE-2020-3887: Ryan Pickren (ryanpickren.com) WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-3895: grigoritchy CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: An application may be able to read restricted memory Description: A race condition was addressed with additional validation. CVE-2020-3894: Sergei Glazunov of Google Project Zero WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9783: Apple WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory consumption issue was addressed with improved memory handling. CVE-2020-3899: found by OSS-Fuzz WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: An input validation issue was addressed with improved input validation. CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit) WebKit Page Loading Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A file URL may be incorrectly processed Description: A logic issue was addressed with improved restrictions. CVE-2020-3885: Ryan Pickren (ryanpickren.com) Additional recognition Safari We would like to acknowledge Dlive of Tencent Security Xuanwu Lab, Jacek Kolodziej of Procter & Gamble, and Justin Taft of One Up Security, LLC for their assistance. Safari Extensions We would like to acknowledge Jeff Johnson of underpassapp.com for their assistance. Safari Reader We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Emilio Cobos Álvarez of Mozilla, Samuel Groß of Google Project Zero, and an anonymous researcher for their assistance. Installation note: Safari 13.1 may be obtained from the Mac App Store. -----BEGIN PGP SIGNATURE----- Version: BCPG v1.64 iQIcBAEDCAAGBQJeejDWAAoJEAc+Lhnt8tDN+aYP/2PReUsWsxAK0Xv2Uv6h2jht aBFzq84DKiz26b6xi5/c40bLzCc7zoHySJHIPoHNiUMocQHmyRbOziE6pSWXpmcm rZK5iJ0IF9TAPt58zqkxmUcTr+T/dq1aiVXJNRSp/NolB4rN5Vg8BHywZ8nOYmGl SPDe1Xo15Q1yDBxjaoAo6vMXeu2/DPoVk/WNSceWGcd/ImCqoFpWvmmpuVyJXN0u nFskPkX46KP8SGwf2F9lPWwfLNMGrqSxWh8Wsnevhot/CVjS5hguGlsLvv+5cIE3 DQfDwjMAKXTbJAUXVxcUv4I1k7qoDOPvfaLhZLKaPb2/0TB0Gsovyz9/Dd68Y8a3 bkEoJaM/mnp9p3V//2ITES1LYpibzXL3AUWDWwYvCaIDghllXFn+5tmu7Pd40sIQ Pl/qSzdOQ57OJbjedMsJkhtTX71iuhWbEMvzB+btrKRKKIOcCdnpWYMrYe8Zflil wUWyPiOLNoj18qT/iUfcq2qD98CNPMheYZHr6JWnXDCaRkZ6z7C0yemu/auZOmiD cIeYBa4wnBoYX8Vd1avqyUXAUe2C5gjJOynb7x4TwkKIbcmkrZpMcLM2prNM6h29 G04eqXKH/SODUViPZGn3vahn2SZ4HtN9R7Ae7+pJfbI/0IDjLaA+yzQa6MBBpzNV 9nrxH+hfviekXKwfUo5r =JnUX -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists