-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512APPLE-SA-2016-05-16-1 tvOS 9.2.1tvOS 9.2.1 is now available and addresses the following:CFNetwork ProxiesAvailable for: Apple TV (4th generation)Impact: An attacker in a privileged network position may be able toleak sensitive user informationDescription: An information leak existed in the handling of HTTP andHTTPS requests. This issue was addressed through improved URLhandling.CVE-IDCVE-2016-1801 : Alex Chapman and Paul Stone of Context InformationSecurityCommonCryptoAvailable for: Apple TV (4th generation)Impact: A malicious application may be able to leak sensitive userinformationDescription: An issue existed in the handling of return values inCCCrypt. This issue was addressed through improved key lengthmanagement.CVE-IDCVE-2016-1802 : Klaus RodewigCoreCaptureAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker workingwith Trend Microâ??s Zero Day InitiativeDisk ImagesAvailable for: Apple TV (4th generation)Impact: An application may be able to read kernel memoryDescription: A race condition was addressed through improvedlocking.CVE-IDCVE-2016-1807 : Ian Beer of Google Project ZeroDisk ImagesAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue existed in the parsing ofdisk images. This issue was addressed through improved memoryhandling.CVE-IDCVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) ofTrend MicroImageIOAvailable for: Apple TV (4th generation)Impact: Processing a maliciously crafted image may lead to a denialof serviceDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1811 : Lander Brandt (@landaire)IOAcceleratorFamilyAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) ofTrend Micro working with Trend Micro's Zero Day InitiativeCVE-2016-1818 : Juwei Lin of TrendMicroIOAcceleratorFamilyAvailable for: Apple TV (4th generation)Impact: An application may be able to cause a denial of serviceDescription: A null pointer dereference was addressed throughimproved locking.CVE-IDCVE-2016-1814 : Juwei Lin of TrendMicroIOAcceleratorFamilyAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption vulnerability was addressed throughimproved locking.CVE-IDCVE-2016-1819 : Ian Beer of Google Project ZeroIOAcceleratorFamilyAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1813 : Ian Beer of Google Project ZeroIOHIDFamilyAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1823 : Ian Beer of Google Project ZeroCVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),TencentKernelAvailable for: Apple TV (4th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1827 : Brandon AzadCVE-2016-1828 : Brandon AzadCVE-2016-1829 : CESGCVE-2016-1830 : Brandon AzadlibcAvailable for: Apple TV (4th generation)Impact: An application may be able to cause unexpected applicationtermination or arbitrary code executionDescription: A memory corruption issue was addressed throughimproved input validation.CVE-IDCVE-2016-1832 : Karl Williamsonlibxml2Available for: Apple TV (4th generation)Impact: Processing maliciously crafted XML may lead to an unexpectedapplication termination or arbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1833 : Mateusz JurczykCVE-2016-1834 : AppleCVE-2016-1836 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1837 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1838 : Mateusz JurczykCVE-2016-1839 : Mateusz JurczykCVE-2016-1840 : Kostya SerebryanylibxsltAvailable for: Apple TV (4th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1841 : Sebastian ApeltOpenGLAvailable for: Apple TV (4th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto NetworksWebKitAvailable for: Apple TV (4th generation)Impact: Processing maliciously crafted web content may disclose datafrom another websiteDescription: An insufficient taint tracking issue in the parsing ofsvg images was addressed through improved taint tracking.CVE-IDCVE-2016-1858 : an anonymous researcherWebKitAvailable for: Apple TV (4th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1854 : Anonymous working with Trend Micro's Zero DayInitiativeCVE-2016-1855 : Tongbo Luo and Bo Qu of Palo Alto NetworksCVE-2016-1856 : lokihardt working with Trend Micro's Zero DayInitiativeCVE-2016-1857 : Jeonghoon Shin (at) A.D (dot) D [email concealed], Liang Chen, Zhen Feng, wushi ofKeenLab, Tencent working with Trend Micro's Zero Day InitiativeWebKit CanvasAvailable for: Apple TV (4th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1859 : Liang Chen, wushi of KeenLab, Tencent working withTrend Micro's Zero Day InitiativeInstallation note:Apple TV will periodically check for software updates. Alternatively,you may manually check for software updates by selecting"Settings -> System -> Software Update -> Update Software.".To check the current version of software, select"Settings -> General -> About".Information will also be posted to the Apple Security Updatesweb site: http://ift.tt/1UO9PxsThis message is signed with Apple's Product Security PGP key,and details are available at:http://ift.tt/JvT2t4-----BEGIN PGP SIGNATURE-----Comment: GPGTools - https://gpgtools.orgiQIcBAEBCgAGBQJXOjzyAAoJEIOj74w0bLRGWI8P/jLFPTwi0qbBczPo3VUwDR07ZPtJa1T0RXjshbBNgpNde8wiD9ZbYE9/ahrOPlmGupxrX6GKMGPPLtbD3msPlkCpBQbo/NgK0+uzkUNhzmS0cwsJNjRfbswIkV4iDBpxTvE+n0LheJqp416XSYlqimtxzrNq7Qm3koqdTHafOXMzuOUkD957p1ii9SHJZBGyF68XT2QmEgc+L3lg6QVJ9jwUHnQ4SuViEZ+qQKEqmo8ADXkzuJfiPsmeiTDWWCdgLhlM6ucTWxhOXbZP6mbmCBLazc9jW9gjbxBAHOTJqjlqNrAtP01VGf5Vqel+jSOaAAXMrP8Dk4/e26qj6PL6iAu3CbHusl8ItSPAUaTMP8K3WVUiseFDWENKMz2i4VS/nZvoaGtHeJefek3RIyaQw1sQIcLqmbMmhUgY8voFHWz9RHMJX7wL6MuZWm2mHFvJ2XKxbQdeLD3d5yABRju9gldn/FcSkDmFXqVZKnfFpli877am1Z4jVXBgrWMGdEV3HENhV9WYTyGBZG8eZDTLiQqepw8DZufpPZt0U/c2X+/qH5AQjcdStTfzv0xb3MqVh5GP3dZoQnP3nTlGRv2a7Vlfv0XdrgNCv2s7CLelv6WiXcEeeVP95XkwNTFf1+oZaZxwFZeY+iAkiR1Z7ItdWlFQbdUbGfVTcdKWfjj6Jwr+=CLh/-----END PGP SIGNATURE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1VZkuYr
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-05-16-1 tvOS 9.2.1
tvOS 9.2.1 is now available and addresses the following:
CFNetwork Proxies
Available for: Apple TV (4th generation)
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: An information leak existed in the handling of HTTP and
HTTPS requests. This issue was addressed through improved URL
handling.
CVE-ID
CVE-2016-1801 : Alex Chapman and Paul Stone of Context Information
Security
CommonCrypto
Available for: Apple TV (4th generation)
Impact: A malicious application may be able to leak sensitive user
information
Description: An issue existed in the handling of return values in
CCCrypt. This issue was addressed through improved key length
management.
CVE-ID
CVE-2016-1802 : Klaus Rodewig
CoreCapture
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working
with Trend Microâ??s Zero Day Initiative
Disk Images
Available for: Apple TV (4th generation)
Impact: An application may be able to read kernel memory
Description: A race condition was addressed through improved
locking.
CVE-ID
CVE-2016-1807 : Ian Beer of Google Project Zero
Disk Images
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro
ImageIO
Available for: Apple TV (4th generation)
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1811 : Lander Brandt (@landaire)
IOAcceleratorFamily
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-1818 : Juwei Lin of TrendMicro
IOAcceleratorFamily
Available for: Apple TV (4th generation)
Impact: An application may be able to cause a denial of service
Description: A null pointer dereference was addressed through
improved locking.
CVE-ID
CVE-2016-1814 : Juwei Lin of TrendMicro
IOAcceleratorFamily
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption vulnerability was addressed through
improved locking.
CVE-ID
CVE-2016-1819 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1813 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent
Kernel
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1827 : Brandon Azad
CVE-2016-1828 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
libc
Available for: Apple TV (4th generation)
Impact: An application may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1832 : Karl Williamson
libxml2
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted XML may lead to an unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1834 : Apple
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1837 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1839 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany
libxslt
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1841 : Sebastian Apelt
OpenGL
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may disclose data
from another website
Description: An insufficient taint tracking issue in the parsing of
svg images was addressed through improved taint tracking.
CVE-ID
CVE-2016-1858 : an anonymous researcher
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1854 : Anonymous working with Trend Micro's Zero Day
Initiative
CVE-2016-1855 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-1856 : lokihardt working with Trend Micro's Zero Day
Initiative
CVE-2016-1857 : Jeonghoon Shin (at) A.D (dot) D [email concealed], Liang Chen, Zhen Feng, wushi of
KeenLab, Tencent working with Trend Micro's Zero Day Initiative
WebKit Canvas
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1859 : Liang Chen, wushi of KeenLab, Tencent working with
Trend Micro's Zero Day Initiative
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software.".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://ift.tt/1UO9Pxs
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://ift.tt/JvT2t4
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXOjzyAAoJEIOj74w0bLRGWI8P/jLFPTwi0qbBczPo3VUwDR07
ZPtJa1T0RXjshbBNgpNde8wiD9ZbYE9/ahrOPlmGupxrX6GKMGPPLtbD3msPlkCp
BQbo/NgK0+uzkUNhzmS0cwsJNjRfbswIkV4iDBpxTvE+n0LheJqp416XSYlqimtx
zrNq7Qm3koqdTHafOXMzuOUkD957p1ii9SHJZBGyF68XT2QmEgc+L3lg6QVJ9jwU
HnQ4SuViEZ+qQKEqmo8ADXkzuJfiPsmeiTDWWCdgLhlM6ucTWxhOXbZP6mbmCBLa
zc9jW9gjbxBAHOTJqjlqNrAtP01VGf5Vqel+jSOaAAXMrP8Dk4/e26qj6PL6iAu3
CbHusl8ItSPAUaTMP8K3WVUiseFDWENKMz2i4VS/nZvoaGtHeJefek3RIyaQw1sQ
IcLqmbMmhUgY8voFHWz9RHMJX7wL6MuZWm2mHFvJ2XKxbQdeLD3d5yABRju9gldn
/FcSkDmFXqVZKnfFpli877am1Z4jVXBgrWMGdEV3HENhV9WYTyGBZG8eZDTLiQqe
pw8DZufpPZt0U/c2X+/qH5AQjcdStTfzv0xb3MqVh5GP3dZoQnP3nTlGRv2a7Vlf
v0XdrgNCv2s7CLelv6WiXcEeeVP95XkwNTFf1+oZaZxwFZeY+iAkiR1Z7ItdWlFQ
bdUbGfVTcdKWfjj6Jwr+
=CLh/
-----END PGP SIGNATURE-----
[ reply ]