lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <744D9939-BBE2-4BEA-B282-CD74CEAA90A9@lists.apple.com>
Date: Tue, 25 May 2021 15:21:50 -0700
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: security-announce@...ts.apple.com
Subject: [FD] APPLE-SA-2021-05-25-5 Safari 14.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-05-25-5 Safari 14.1.1

Safari 14.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212534.

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2021-30749: an anonymous researcher and mipu94 of SEFCOM lab,
ASU. working with Trend Micro Zero Day Initiative
CVE-2021-30734: Jack Dates of RET2 Systems, Inc. (@ret2systems)
working with Trend Micro Zero Day Initiative

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A cross-origin issue with iframe elements was addressed
with improved tracking of security origins.
CVE-2021-30744: Dan Hite of jsontop

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: A malicious website may be able to access restricted ports on
arbitrary servers
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30720: David Schütz (@xdavidhu)

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: A malicious application may be able to leak sensitive user
information
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30682: an anonymous researcher and 1lastBr3ath

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-21779: Marcin Towalski of Cisco Talos

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2021-30689: an anonymous researcher

WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2021-30663: an anonymous researcher

WebRTC
Available for: macOS Catalina and macOS Mojave
Impact: A remote attacker may be able to cause a denial of service
Description: A null pointer dereference was addressed with improved
input validation.
CVE-2021-23841: Tavis Ormandy of Google
CVE-2021-30698: Tavis Ormandy of Google

Additional recognition

WebKit
We would like to acknowledge Chris Salls (@salls) of Makai Security
for their assistance.

Installation note:

This update may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCtU9IACgkQZcsbuWJ6
jjBEaw//cfvBiTZmkDNa2kDjJLMb4J6AmLZMGDGZrE/nJ9kvck9ac4gFZLv0Poz+
PchsZvRelHeadMONH7TbpZlWued9xVn4yQVzO+FPFXmRQgMDPiYwfgP5dnRrfbH0
i3yOiaZuUdo1PKd103CgjpTEc4pJKZpJz5y5PmHIFQxuQt5qynDkSPfrIiszhZ+5
AAh2biUWETDHvPLojVNumhtQOSq/hRXjkOI0+7Foprjg99p2a3TgQeXdgKsuJBpD
Y3Q9WmRrPpwaDR8Hs2qO7Vlo1Nhldo060e5UvBsHXORzOu//boAefYXIK9W1ZKeZ
fOKkrAnwZXcoU3UM/gcvyEXg2e3jt5I0zOV1tDmyQpRfbhR1QsmbWzWLspoOmsVL
CtPh2aS0VYJJ4L6DP+VfdOnwVaTkirHh7LMifZ4UjsEMVz81ODagIj8t5MrDFpyt
vI732lWm5whdaBaxmTe/bCxxAAJhPlKawCySQQODfUEh8ll9ByxpNH2NPOpy57QS
+HxBK4UuWTPGsF7pkLzeCPoJfCZ0OaaS74WcHFanP/TeR3x5E4rTwuHDqD4ItkfD
fVpmVvnyOT+9MKd3Fwopcg8JOM2i96I0G1ptbk4EeYZnQEw2ChU6NDz66AeZwub0
JM43xG0hT7OnUQRm3d9B0su/OzfWQHCCHsZ8WkPxcihUDalDDJg=
=CpII
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ