-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512APPLE-SA-2016-05-16-3 watchOS 2.2.1watchOS 2.2.1 is now available and addresses the following:CommonCryptoAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: A malicious application may be able to leak sensitive userinformationDescription: An issue existed in the handling of return values inCCCrypt. This issue was addressed through improved key lengthmanagement.CVE-IDCVE-2016-1802 : Klaus RodewigCoreCaptureAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker workingwith Trend Microâ??s Zero Day InitiativeDisk ImagesAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: A local attacker may be able to read kernel memoryDescription: A race condition was addressed through improvedlocking.CVE-IDCVE-2016-1807 : Ian Beer of Google Project ZeroDisk ImagesAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue existed in the parsing ofdisk images. This issue was addressed through improved memoryhandling.CVE-IDCVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) ofTrend MicroImageIOAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: Processing a maliciously crafted image may lead to a denialof serviceDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1811 : Lander Brandt (@landaire)IOAcceleratorFamilyAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) ofTrend Micro working with Trend Micro's Zero Day InitiativeCVE-2016-1818 : Juwei Lin of TrendMicroIOAcceleratorFamilyAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption vulnerability was addressed throughimproved locking.CVE-IDCVE-2016-1819 : Ian Beer of Google Project ZeroIOAcceleratorFamilyAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A null pointer dereference was addressed throughimproved validation.CVE-IDCVE-2016-1813 : Ian Beer of Google Project ZeroIOHIDFamilyAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1823 : Ian Beer of Google Project ZeroCVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),TencentKernelAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An application may be able to execute arbitrary code withkernel privilegesDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1827 : Brandon AzadCVE-2016-1828 : Brandon AzadCVE-2016-1829 : CESGCVE-2016-1830 : Brandon AzadlibcAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: A local attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: A memory corruption issue was addressed throughimproved input validation.CVE-IDCVE-2016-1832 : Karl Williamsonlibxml2Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: Processing maliciously crafted XML may lead to an unexpectedapplication termination or arbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1833 : Mateusz JurczykCVE-2016-1834 : AppleCVE-2016-1836 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1837 : Wei Lei and Liu Yang of Nanyang TechnologicalUniversityCVE-2016-1838 : Mateusz JurczykCVE-2016-1839 : Mateusz JurczykCVE-2016-1840 : Kostya SerebryanylibxsltAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed throughimproved memory handling.CVE-IDCVE-2016-1841 : Sebastian ApeltMapKitAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: An attacker in a privileged network position may be able toleak sensitive user informationDescription: Shared links were sent with HTTP rather than HTTPS.This was addressed by enabling HTTPS for shared links.CVE-IDCVE-2016-1842 : Richard Shupak (http://ift.tt/1VZkuHS)OpenGLAvailable for: Apple Watch Sport, Apple Watch, Apple Watch Edition,and Apple Watch HermesImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: Multiple memory corruption issues were addressedthrough improved memory handling.CVE-IDCVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto NetworksInstallation note:Instructions on how to update your Apple Watch software areavailable at http://ift.tt/1GcqSi5To check the version on your Apple Watch, open the Apple Watch appon your iPhone and select "My Watch > General > About".Alternatively, on your watch, select "My Watch > General > About".Information will also be posted to the Apple Security Updatesweb site: http://ift.tt/1UO9PxsThis message is signed with Apple's Product Security PGP key,and details are available at:http://ift.tt/JvT2t4-----BEGIN PGP SIGNATURE-----Comment: GPGTools - https://gpgtools.orgiQIcBAEBCgAGBQJXOj0CAAoJEIOj74w0bLRGQZQQAIkIZEoM5s1QxnUBiXf92FygdAy3f7e/+YiTIdUHFdWmK+/bj4lB3+nUDc6UXx/JjVaNBF4wHkjXyOWIyi/z0CBZmAcUuaN1oGh8J3krr8GBjhXyzhBj0z2c9o/7GuOdSFMuaTE84bf3qVAxlE30F9U6wBJztbJfMi8simqBxSTIG7h1iOI5b8+GqOhBv1/IwvGCd2e9xUs7Vcqr/O3ZmWPcE8gzDGteNFpx9fK75fWsTi/M4Z81QAbuzEnB4fKA1pWyErjYrYIE1iLsfjZ9GpJWLoB9HMmeTtCrHAzSJ2E6aYJorb784mGgX45Hsrzl8auYPhi+1mxAjYX5p3UA4cvrfm47wQQ5+dwVOoB9u3DpSASeJE1Nv3wjgUeG52qLKr4fRaDolm4B81qrwvSm/54pH/kpBscIRkjDhZddCZme3mKZaICa5sZTiIT4LkYUtNzqG+n6u90CUXmhzfN8lPcEP2tm92e6nZjWi7kYStJMoFIHo1/kbKpF2g/5RwjzayZ4nBh1YrxqKmIL2FZKbbfSfYyvccAEevurZtMtYckx8e3LyMFZTHgNKjBwW1F/X2EKLOhUeugKUDIdiCUwd1BijEGMh/Q7/ffCH3Fqc4uwzj/gN5m+6oPAHpfVaa+HTRdce9Pg0eIcAMFkNLQIh8xa9KEVtUytt+3iXZKwT2pg=VENn-----END PGP SIGNATURE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/24W6el6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-05-16-3 watchOS 2.2.1
watchOS 2.2.1 is now available and addresses the following:
CommonCrypto
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A malicious application may be able to leak sensitive user
information
Description: An issue existed in the handling of return values in
CCCrypt. This issue was addressed through improved key length
management.
CVE-ID
CVE-2016-1802 : Klaus Rodewig
CoreCapture
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working
with Trend Microâ??s Zero Day Initiative
Disk Images
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local attacker may be able to read kernel memory
Description: A race condition was addressed through improved
locking.
CVE-ID
CVE-2016-1807 : Ian Beer of Google Project Zero
Disk Images
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro
ImageIO
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1811 : Lander Brandt (@landaire)
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of
Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-1818 : Juwei Lin of TrendMicro
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption vulnerability was addressed through
improved locking.
CVE-ID
CVE-2016-1819 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1813 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1827 : Brandon Azad
CVE-2016-1828 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
libc
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1832 : Karl Williamson
libxml2
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Processing maliciously crafted XML may lead to an unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1834 : Apple
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1837 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1839 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany
libxslt
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1841 : Sebastian Apelt
MapKit
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: Shared links were sent with HTTP rather than HTTPS.
This was addressed by enabling HTTPS for shared links.
CVE-ID
CVE-2016-1842 : Richard Shupak (http://ift.tt/1VZkuHS)
OpenGL
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks
Installation note:
Instructions on how to update your Apple Watch software are
available at http://ift.tt/1GcqSi5
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: http://ift.tt/1UO9Pxs
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://ift.tt/JvT2t4
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXOj0CAAoJEIOj74w0bLRGQZQQAIkIZEoM5s1QxnUBiXf92Fyg
dAy3f7e/+YiTIdUHFdWmK+/bj4lB3+nUDc6UXx/JjVaNBF4wHkjXyOWIyi/z0CBZ
mAcUuaN1oGh8J3krr8GBjhXyzhBj0z2c9o/7GuOdSFMuaTE84bf3qVAxlE30F9U6
wBJztbJfMi8simqBxSTIG7h1iOI5b8+GqOhBv1/IwvGCd2e9xUs7Vcqr/O3ZmWPc
E8gzDGteNFpx9fK75fWsTi/M4Z81QAbuzEnB4fKA1pWyErjYrYIE1iLsfjZ9GpJW
LoB9HMmeTtCrHAzSJ2E6aYJorb784mGgX45Hsrzl8auYPhi+1mxAjYX5p3UA4cvr
fm47wQQ5+dwVOoB9u3DpSASeJE1Nv3wjgUeG52qLKr4fRaDolm4B81qrwvSm/54p
H/kpBscIRkjDhZddCZme3mKZaICa5sZTiIT4LkYUtNzqG+n6u90CUXmhzfN8lPcE
P2tm92e6nZjWi7kYStJMoFIHo1/kbKpF2g/5RwjzayZ4nBh1YrxqKmIL2FZKbbfS
fYyvccAEevurZtMtYckx8e3LyMFZTHgNKjBwW1F/X2EKLOhUeugKUDIdiCUwd1Bi
jEGMh/Q7/ffCH3Fqc4uwzj/gN5m+6oPAHpfVaa+HTRdce9Pg0eIcAMFkNLQIh8xa
9KEVtUytt+3iXZKwT2pg
=VENn
-----END PGP SIGNATURE-----
[ reply ]