lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Nov 2020 11:37:34 -0800
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: security-announce@...ts.apple.com
Subject: [FD] APPLE-SA-2020-11-13-5 Additional information for
 APPLE-SA-2020-09-16-3 Safari 14.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-11-13-5 Additional information for
APPLE-SA-2020-09-16-3 Safari 14.0

Safari 14.0 addresses the following issues. Information about
the security content is also available at
https://support.apple.com/HT211845.

Safari
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved UI handling.
CVE-2020-9993: Masato Sugiyama (@smasato) of University of Tsukuba,
Piotr Duszynski
Entry added November 12, 2020

Safari
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2020-9987: Rafay Baloch (cybercitadel.com) of Cyber Citadel
Entry added November 12, 2020

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-9948: Brendan Draper (@6r3nd4n) working with Trend Micro
Zero Day Initiative

WebKit
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9947: cc working with Trend Micro Zero Day Initiative
CVE-2020-9950: cc working with Trend Micro Zero Day Initiative
CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
Entry updated November 12, 2020

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9952: Ryan Pickren (ryanpickren.com)

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to code
execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9983: zhunki

Additional recognition

Safari
We would like to acknowledge @PaulosYibelo of Limehats, Ryan Pickren
(ryanpickren.com) for their assistance.
Entry added November 12, 2020

Safari Reader
We would like to acknowledge Zhiyang Zeng(@Wester) of OPPO ZIWU
Security Lab for their assistance.
Entry added November 12, 2020

WebKit
We would like to acknowledge Pawel Wylecial of REDTEAM.PL, Ryan
Pickren (ryanpickren.com), Tsubasa FUJII (@reinforchu), Zhiyang
Zeng(@Wester) of OPPO ZIWU Security Lab for their assistance.
Entry added November 12, 2020

Installation note:

Safari 14.0 may be obtained from the Mac App Store.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+uxmkACgkQZcsbuWJ6
jjC10xAApnFTMOYmt4Y5o7KF5E6OBizR9toCIxwAxr8nRX5/UfPC3aIKv7DFYTP/
JrAlUMM8soZAuytc1dQPXpMgsM71OctsSM92Z06oEVeiN9w1lZ/Bonh8F2R0Sm2Y
upMFk6aHHWt++JfhbYQULNZx9zrT885dmyynLTk5kHB8TRnIqUmtzcpeYWkGkT78
TdMn9w9atcbSbi0Yqybmy+CE3qvm96C8TIQTMj2Qlp04AU0ZAtogZfTwJvPV8LIx
sqHaGRO2hcTchxcWn50edjANOOBK+16QdcqoTKKVZY95RjIFvksD/lAZqMlNIlNR
X5pXr2NfkPRQwMcyAW4YKEJ165TohV/6eiYKJr70BbigWWwfNWhjJiT4drAnd9ii
uO6NI85hLLeF6me28L2RPxO7XuVnu5MXzLzgKR0dprsyoF0yxEcJ6rX56bduggli
lZ+eziUH5ReUw0E3RtIC5u0NSOPjsYuErH0qH0nCTUU6dRNI7u1ZKq44eyGjrdvg
vfNoci5yMnqsp+8D/yjZc2zQZCSEXgMpuNNac1Unv1JFPrypG/N5a2qmqDWi+P/x
Pcbv1TzDS0XwXuwXMgTflj6MY38gbAIpZlZNEyjvxx9r7MUBYEeEW1KMoTtghiaa
kL7XmKJEGZib++TAP4+jZ/6tWjhijdmkx5S+85vi7TV8NbHpn4o=
=EiFD
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists