| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <3671D62B-E5B3-4D7B-B8A1-426AC99D5717@lists.apple.com> Date: Tue, 29 Jul 2025 16:27:46 -0700 From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org> To: security-announce@...ts.apple.com Subject: [FD] APPLE-SA-07-29-2025-2 iPadOS 17.7.9 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-07-29-2025-2 iPadOS 17.7.9 iPadOS 17.7.9 addresses the following issues. Information about the security content is also available at https://support.apple.com/124148. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Privacy Indicators for microphone or camera access may not be correctly displayed Description: The issue was addressed by adding additional logic. CVE-2025-43217: Himanshu Bharti (@Xpl0itme) CFNetwork Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: An attacker may be able to cause unexpected app termination Description: A use-after-free issue was addressed by removing the vulnerable code. CVE-2025-43222: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs CFNetwork Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: A non-privileged user may be able to modify restricted network settings Description: A denial-of-service issue was addressed with improved input validation. CVE-2025-43223: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs copyfile Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: An app may be able to access protected user data Description: This issue was addressed with improved validation of symlinks. CVE-2025-43220: Mickey Jin (@patch1t) CoreMedia Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2025-43210: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative CoreMedia Playback Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: An app may be able to access user-sensitive data Description: The issue was addressed with additional permissions checks. CVE-2025-43230: Chi Yuan Chang of ZUSO ART and taikosoup Find My Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: An app may be able to fingerprint the user Description: A permissions issue was addressed with additional restrictions. CVE-2025-31279: Dawuge of Shuffle Team ICU Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2025-43209: Gary Kwong working with Trend Micro Zero Day Initiative ImageIO Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing a maliciously crafted image may result in disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2025-43226 Kernel Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: A remote attacker may be able to cause unexpected system termination Description: The issue was addressed with improved checks. CVE-2025-24224: Tony Iskow (@Tybbow) libxslt Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing maliciously crafted web content may lead to memory corruption Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-7424: Ivan Fratric of Google Project Zero Mail Drafts Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Remote content may be loaded even when the 'Load Remote Images' setting is turned off Description: This issue was addressed through improved state management. CVE-2025-31276: Himanshu Bharti (@Xpl0itme) Notes Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: An app may be able to access sensitive user data Description: A logging issue was addressed with improved data redaction. CVE-2025-43225: Kirin (@Pwnrin) Sandbox Profiles Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: An app may be able to read a persistent device identifier Description: A permissions issue was addressed with additional restrictions. CVE-2025-24220: Wojciech Regula of SecuRing (wojciechregula.blog) WebKit Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing maliciously crafted web content may lead to memory corruption Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 291742 CVE-2025-31278: Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei WebKit Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing web content may lead to a denial-of-service Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 293730 CVE-2025-43211: Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei WebKit Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 295382 CVE-2025-43216: Ignacio Sanmillan (@ulexec) WebKit Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. WebKit Bugzilla: 296459 CVE-2025-6558: Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group Additional recognition CoreAudio We would like to acknowledge @zlluny, Noah Weinberg for their assistance. Device Management We would like to acknowledge Al Karak for their assistance. Game Center We would like to acknowledge YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab for their assistance. libxml2 We would like to acknowledge Sergei Glazunov of Google Project Zero for their assistance. libxslt We would like to acknowledge Ivan Fratric of Google Project Zero for their assistance. Shortcuts We would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup, and Dennis Kniep for their assistance. This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iPadOS 17.7.9". All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmiJVBkACgkQX+5d1TXa IvrOMRAAllL6bLwsLyQP5UbOVoNsk/1orcqBHpEMKpG/OcJJYDeCRg+c1cmhAVIy pPxPK+0z++0bLPFCJ0XDO4mZ8lB9wxIqsgCqy/PjMz56qCT7/D/Wo7Qgy9YdjxV3 jYQ3vVyhhb0suVN7X8JjEwyjwVHSImlZaDywu6B5QbK/1/YzQDiIQQT+e6cGGdtl pOEIuIH0KTAIjWLPT6a0S7rMqhOKeBgxzxBbtj9dyZzkxFfRWhbX09SRrFM00X09 bVD3v2nlxL/Rp8k6h1JrpdI6i7AmYoNN5UPVn7ZxkszDt8ZOvW8G8PR0IKDfeeJV 7YYUHSKc5enVr0Ai9HOeWw0y/RoBAk8Z7J1nvxcPQilIObtIYoJ54/gjs7rs7chF 4c2VXabHqPldlDcgKDWGfjSn3F+o15QPJTZw+yGjkmo/qlERPnh0Db9Zc30g6XQd QRhJYHLoXcPL9+6Jkpw4qylS+YVCEX3QxmVAMTY2XO3FD27IWGxghyEIcL1zd39V 4UtteTJeUH6Pl2hPGSAUk/kERWEy1Daa+knp0jGlvj76ORbz8xvZaFF2cnkM4k+E WMtY32j85ZHWnyluvWHamkI/QlDKF7V4DZO+JTBnasWEW0K6RuE7/9TfsEkFbAEL fZwplk/FugHhf904bLSq5mGcBQDOZbM6suRax0u+NzG6Q1sfeWQ= =R7NW -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists