-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512APPLE-SA-2016-05-16-2 iOS 9.3.2iOS 9.3.2 is now available and addresses the following:AccessibilityAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to determine kernel memory layoutDescription: A buffer overflow was addressed through improved sizevalidation.CVE-IDCVE-2016-1790 : Rapelly AkhilCFNetwork ProxiesAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An attacker in a privileged network position may be able toleak sensitive user informationDescription: An information leak existed in the handling of HTTP andHTTPS requests. This issue was addressed through improved URLhandling.CVE-IDCVE-2016-1801 : Alex Chapman and Paul Stone of Context InformationSecurityCommonCryptoAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A malicious application may be able to leak sensitive userinformationDescription: An issue existed in the handling of return values inCCCrypt. This issue was addressed through improved key lengthmanagement.CVE-IDCVE-2016-1802 : Klaus RodewigCoreCaptureAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker workingwith Trend Microâ??s Zero Day InitiativeDisk ImagesAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A local attacker may be able to read kernel memoryDescription: A race condition was addressed through improvedlocking.CVE-IDCVE-2016-1807 : Ian Beer of Google Project ZeroDisk ImagesAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue existed in the parsing ofdisk images. This issue was addressed through improved memoryhandling.CVE-IDCVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) ofTrend MicroImageIOAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Processing a maliciously crafted image may lead to a denialof serviceDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1811 : Lander Brandt (@landaire)IOAcceleratorFamilyAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) ofTrend Micro working with Trend Micro's Zero Day InitiativeCVE-2016-1818 : Juwei Lin of TrendMicroCVE-2016-1819 : Ian Beer of Google Project ZeroIOAcceleratorFamilyAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to cause a denial of serviceDescription: A null pointer dereference was addressed throughimproved locking.CVE-IDCVE-2016-1814 : Juwei Lin of TrendMicroIOAcceleratorFamilyAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1813 : Ian Beer of Google Project ZeroIOHIDFamilyAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1823 : Ian Beer of Google Project ZeroCVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),TencentKernelAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1827 : Brandon AzadCVE-2016-1828 : Brandon AzadCVE-2016-1829 : CESGCVE-2016-1830 : Brandon AzadCVE-2016-1831 : Brandon AzadlibcAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A local attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: A memory corruption issue was addressed throughimproved input validation.CVE-IDCVE-2016-1832 : Karl Williamsonlibxml2Available for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Processing maliciously crafted XML may lead to an unexpectedapplication termination or arbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1833 : Mateusz JurczykCVE-2016-1834 : AppleCVE-2016-1835 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1836 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1837 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1838 : Mateusz JurczykCVE-2016-1839 : Mateusz JurczykCVE-2016-1840 : Kostya SerebryanylibxsltAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Visiting a maliciously crafted website may lead to arbitrarycode executionDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1841 : Sebastian ApeltMapKitAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: An attacker in a privileged network position may be able toleak sensitive user informationDescription: Shared links were sent with HTTP rather than HTTPS.This was addressed by enabling HTTPS for shared links.CVE-IDCVE-2016-1842 : Richard Shupak (http://ift.tt/1VZkuHS)OpenGLAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto NetworksSafariAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A user may be unable to fully delete browsing historyDescription: "Clear History and Website Data" did not clear thehistory. The issue was addressed through improved data deletion.CVE-IDCVE-2016-1849 : Adham GhrayebSiriAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A person with physical access to an iOS device may be ableto use Siri to access contacts and photos from the the lock screenDescription: A state management issue existed when accessing Siriresults on the lock screen. This issue was addressed by disablingdata detectors in Twitter results when the device is locked.CVE-IDCVE-2016-1852 : videosdebarraquitoWebKitAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Visiting a malicious website may disclose data from anotherwebsiteDescription: An insufficient taint tracking issue in the parsing ofsvg images was addressed through improved taint tracking.CVE-IDCVE-2016-1858 : an anonymous researcherWebKitAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Visiting a maliciously crafted website may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1854 : Anonymous working with Trend Micro's Zero DayInitiativeCVE-2016-1855 : Tongbo Luo and Bo Qu of Palo Alto NetworksCVE-2016-1856 : lokihardt working with Trend Micro's Zero DayInitiativeCVE-2016-1857 : Jeonghoon Shin (at) A.D (dot) D [email concealed], Liang Chen, Zhen Feng, wushi ofKeenLab, Tencent working with Trend Micro's Zero Day InitiativeWebKit CanvasAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: Visiting a maliciously crafted website may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1859 : Liang Chen, wushi of KeenLab, Tencent working withTrend Micro's Zero Day InitiativeInstallation note:This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom http://ift.tt/p4ILVniTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. Selecting Don't Installwill present the option the next time you connect your iOS device.The automatic update process may take up to a week depending on theday that iTunes or the device checks for updates. You may manuallyobtain the update via the Check for Updates button within iTunes, orthe Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this updatewill be "9.3.2".Information will also be posted to the Apple Security Updatesweb site: http://ift.tt/1UO9PxsThis message is signed with Apple's Product Security PGP key,and details are available at:http://ift.tt/JvT2t4-----BEGIN PGP SIGNATURE-----Comment: GPGTools - https://gpgtools.orgiQIcBAEBCgAGBQJXOjz9AAoJEIOj74w0bLRGhaEP/2vSxjMnyoe2P8hRRQKb8LaLoigygYPvWnP6pQMywPpnx96TtTK8qFLOtxaCFzk0IYcCvyA7J7Hp+V69JKuOzj7arOPcgwsHbFv56ZMJxlEX0v7l7JcptghvujugKKHXg6M8nRluu47LT4uaUI4y87kVNHhlb59k/SGmmzkY83xvVSX1bHxhTt9/Cmpd+xwVGpQDIhWPurhJnImbvxusZT4I5sVs/+K9C+mAHDvDZbjQi8evDePCmeeeXRmVsNfDTh9oo5Q8iSKjRXC05vZZlcVUR4ntXCEwWXFuLrVDExL1SA36hVuTiht+vbpTDweIj25hfaZs3fTtFIPXzu7MGM50KsV4xMUMeszB+tlC/GoU6s1gK4yo/mxnbmuXxWQGBUKgiVzRXzXAYfGr9CuY+eCmQotCnXl6oKn8oGqX5Tqmt8onjHAAnk1qdrK7FpRxZTPYYzfIn/OEH4kAsCcuj8qqeYdsHM/8C7Oas3it+dZleDTNmFET4aMA4bIOzHiJSyHS1MvzZoSBxKQHLXjZS+yl2Z9c135et4TTeqMl0WwhtHKBGdiUfaLOcUi3e0ZnFdDKjQZyo7+w/ma6l/JKwDLsuUCXLvKeEGeNyA75IbS9WEMDgeykh0DgQ4oF6xXth+yod3YnUNcBR8i8UbW68Jo/WD39gI5XNrpUq9cUOg7t=lS4p-----END PGP SIGNATURE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/24W6lNu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-05-16-2 iOS 9.3.2
iOS 9.3.2 is now available and addresses the following:
Accessibility
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to determine kernel memory layout
Description: A buffer overflow was addressed through improved size
validation.
CVE-ID
CVE-2016-1790 : Rapelly Akhil
CFNetwork Proxies
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: An information leak existed in the handling of HTTP and
HTTPS requests. This issue was addressed through improved URL
handling.
CVE-ID
CVE-2016-1801 : Alex Chapman and Paul Stone of Context Information
Security
CommonCrypto
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to leak sensitive user
information
Description: An issue existed in the handling of return values in
CCCrypt. This issue was addressed through improved key length
management.
CVE-ID
CVE-2016-1802 : Klaus Rodewig
CoreCapture
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working
with Trend Microâ??s Zero Day Initiative
Disk Images
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to read kernel memory
Description: A race condition was addressed through improved
locking.
CVE-ID
CVE-2016-1807 : Ian Beer of Google Project Zero
Disk Images
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1811 : Lander Brandt (@landaire)
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-1818 : Juwei Lin of TrendMicro
CVE-2016-1819 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to cause a denial of service
Description: A null pointer dereference was addressed through
improved locking.
CVE-ID
CVE-2016-1814 : Juwei Lin of TrendMicro
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1813 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1827 : Brandon Azad
CVE-2016-1828 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
CVE-2016-1831 : Brandon Azad
libc
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1832 : Karl Williamson
libxml2
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing maliciously crafted XML may lead to an unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1834 : Apple
CVE-2016-1835 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1837 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1839 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany
libxslt
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1841 : Sebastian Apelt
MapKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: Shared links were sent with HTTP rather than HTTPS.
This was addressed by enabling HTTPS for shared links.
CVE-ID
CVE-2016-1842 : Richard Shupak (http://ift.tt/1VZkuHS)
OpenGL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: "Clear History and Website Data" did not clear the
history. The issue was addressed through improved data deletion.
CVE-ID
CVE-2016-1849 : Adham Ghrayeb
Siri
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may be able
to use Siri to access contacts and photos from the the lock screen
Description: A state management issue existed when accessing Siri
results on the lock screen. This issue was addressed by disabling
data detectors in Twitter results when the device is locked.
CVE-ID
CVE-2016-1852 : videosdebarraquito
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may disclose data from another
website
Description: An insufficient taint tracking issue in the parsing of
svg images was addressed through improved taint tracking.
CVE-ID
CVE-2016-1858 : an anonymous researcher
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1854 : Anonymous working with Trend Micro's Zero Day
Initiative
CVE-2016-1855 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-1856 : lokihardt working with Trend Micro's Zero Day
Initiative
CVE-2016-1857 : Jeonghoon Shin (at) A.D (dot) D [email concealed], Liang Chen, Zhen Feng, wushi of
KeenLab, Tencent working with Trend Micro's Zero Day Initiative
WebKit Canvas
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1859 : Liang Chen, wushi of KeenLab, Tencent working with
Trend Micro's Zero Day Initiative
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from http://ift.tt/p4ILVn
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "9.3.2".
Information will also be posted to the Apple Security Updates
web site: http://ift.tt/1UO9Pxs
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://ift.tt/JvT2t4
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXOjz9AAoJEIOj74w0bLRGhaEP/2vSxjMnyoe2P8hRRQKb8LaL
oigygYPvWnP6pQMywPpnx96TtTK8qFLOtxaCFzk0IYcCvyA7J7Hp+V69JKuOzj7a
rOPcgwsHbFv56ZMJxlEX0v7l7JcptghvujugKKHXg6M8nRluu47LT4uaUI4y87kV
NHhlb59k/SGmmzkY83xvVSX1bHxhTt9/Cmpd+xwVGpQDIhWPurhJnImbvxusZT4I
5sVs/+K9C+mAHDvDZbjQi8evDePCmeeeXRmVsNfDTh9oo5Q8iSKjRXC05vZZlcVU
R4ntXCEwWXFuLrVDExL1SA36hVuTiht+vbpTDweIj25hfaZs3fTtFIPXzu7MGM50
KsV4xMUMeszB+tlC/GoU6s1gK4yo/mxnbmuXxWQGBUKgiVzRXzXAYfGr9CuY+eCm
QotCnXl6oKn8oGqX5Tqmt8onjHAAnk1qdrK7FpRxZTPYYzfIn/OEH4kAsCcuj8qq
eYdsHM/8C7Oas3it+dZleDTNmFET4aMA4bIOzHiJSyHS1MvzZoSBxKQHLXjZS+yl
2Z9c135et4TTeqMl0WwhtHKBGdiUfaLOcUi3e0ZnFdDKjQZyo7+w/ma6l/JKwDLs
uUCXLvKeEGeNyA75IbS9WEMDgeykh0DgQ4oF6xXth+yod3YnUNcBR8i8UbW68Jo/
WD39gI5XNrpUq9cUOg7t
=lS4p
-----END PGP SIGNATURE-----
[ reply ]