—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
APPLE-SA-2017-05-15-7 Safari 10.1.1
Safari 10.1.1 is now available and addresses the following:
Safari
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Visiting a maliciously crafted webpage may lead to an
application denial of service
Description: An issue in Safari’s history menu was addressed through
improved memory handling.
CVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Safari
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-2500: Zhiyang Zeng and Yuyang Zhou of Tencent Security
Platform Department
CVE-2017-2511: Zhiyang Zeng of Tencent Security Platform Department
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-2496: Apple
CVE-2017-2505: lokihardt of Google Project Zero
CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with
Trend Micro’s Zero Day Initiative
CVE-2017-2514: lokihardt of Google Project Zero
CVE-2017-2515: lokihardt of Google Project Zero
CVE-2017-2521: lokihardt of Google Project Zero
CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (
tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2526: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab
(tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2530: Wei Yuan of Baidu Security Lab
CVE-2017-2531: lokihardt of Google Project Zero
CVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro’s
Zero Day Initiative
CVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro’s
Zero Day Initiative
CVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro’s
Zero Day Initiative
CVE-2017-2547: lokihardt of Google Project Zero,
Team Sniper (Keen Lab and PC Mgr) working with Trend Micro’s Zero Day
Initiative
CVE-2017-6980: lokihardt of Google Project Zero
CVE-2017-6984: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of WebKit Editor
commands. This issue was addressed with improved state management.
CVE-2017-2504: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of WebKit
container nodes. This issue was addressed with improved state
management.
CVE-2017-2508: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of pageshow
events. This issue was addressed with improved state management.
CVE-2017-2510: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of WebKit cached
frames. This issue was addressed with improved state management.
CVE-2017-2528: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues with addressed through
improved memory handling.
CVE-2017-2536: Samuel Groß and Niklas Baumstark working with Trend
Micro’s Zero Day Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in frame loading. This issue was
addressed with improved state management.
CVE-2017-2549: lokihardt of Google Project Zero
WebKit Web Inspector
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.5
Impact: An application may be able to execute unsigned code
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-2499: George Dan (@theninjaprawn)
Installation note:
Safari 10.1.1 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–
Comment: GPGTools – https://gpgtools.org
iQIcBAEBCgAGBQJZGdmMAAoJEIOj74w0bLRGxi0P/RqhFhUl2dpkTY8fSc/Wpzub
wuddiZwq3N6DDOioJuKYj0SfO0xazfb5IC2a+YOlQ7CwnorOw648O6PFTTLnTGun
fJwP+aIovFdL6h4NuyBRZJvSxXQSCdlV2gBcDCOdc0SmHGHjk87u0bjTvPY4P34z
Jfr0+Q0wNCAVgd/DQbreJFQzHaGieQ6heGRoFB/ag17f9DRyxmhCLxdn1XmKIXWV
/602XgwLnlpVBAFRDmNNSjkF4C2/qoUGyCQR1WrkwoN2L4wQ1mxxNKNBzlSH8AzY
RlV3UdnFJMrdddOkMc7GTgSwMWhyD84YrcpGuxL1ImIiyafZ7DCc3fZWUSgMIhE2
FwCBnga4qlqCzaNeZPpTfbufROHansUBy8FQds1IDm62nm4mw4IJeuortlrBtFLf
Zo/P4ftzTG8gihkcOhg1ew8KW8hi5WeH554zIYVMZA839bfWr7B9ebjw3Run0Uka
M7abLl4l1fvWluB+LHt5m65knnw6biNDs8gw5xkBLwDFU4zc3Z5Q/G/AiL9pe1Yz
wE5MUiECDy3WrVaCptkjXdvJiev+KjrQnHkd0ui56sS9MjrP+f2P1OZCfcqmlibJ
+U6YIErsplfR9FIaaf+ntlEV5f9BBeq0VHfQJfigwVD5bHUFBSr4ZHq9/9NEDoGu
Kh8ARPteimq+z9WoNkT/
=H1Pv
—–END PGP SIGNATURE—–
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)