Package : vlc CVE ID : CVE-2017-9300 CVE-2017-10699
Several vulnerabilities have been found in VLC, the VideoLAN project's media player. Processing malformed media files could lead to denial of service and potentially the execution of arbitrary code.
For the oldstable distribution (jessie), these problems have been fixed in version 2.2.7-1~deb8u1.
For the stable distribution (stretch), these problems have been fixed in version 2.2.7-1~deb9u1.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
====================================================================== Table of Contents
Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Flexera .......................................................8 Verification.........................................................9
====================================================================== 5) Time Table
2017/03/14 - Vendor notified about vulnerability. 2017/03/17 - Vendor supplied bug ticket ID. 2017/05/10 - Vendor asks for extention of publishing deadline. 2017/05/11 - Replied to vendor with new publishing timeline. 2017/05/15 - Vendor supplies information of fix in main codeline. 2017/10/17 - Release of vendor patch. 2017/10/18 - Release of Secunia Advisory SA76869. 2017/11/21 - Public disclosure of Secunia Research Advisory.
Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera.
The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered
Package : libspring-ldap-java CVE ID : CVE-2017-8028
Tobias Schneider discovered that libspring-ldap-java, a Java library for Spring-based applications using the Lightweight Directory Access Protocol, would under some circumstances allow authentication with a correct username but an arbitrary password.
For the oldstable distribution (jessie), this problem has been fixed in version 1.3.1.RELEASE-5+deb8u1.
We recommend that you upgrade your libspring-ldap-java packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7156: an anonymous researcher CVE-2017-7157: an anonymous researcher CVE-2017-13856: Jeonghoon Shin CVE-2017-13870: an anonymous researcher CVE-2017-13866: an anonymous researcher
Installation note:
Safari 11.0.2 may be obtained from the Mac App Store.
APPLE-SA-2017-12-13-7 Additional information for APPLE-SA-2017-12-6-4 tvOS 11.2
tvOS 11.2 addresses the following:
IOSurface Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13861: Ian Beer of Google Project Zero
Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13862: Apple CVE-2017-13876: Ian Beer of Google Project Zero CVE-2017-13867: Ian Beer of Google Project Zero
Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2017-13833: Brandon Azad
Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A type confusion issue was addressed with improved memory handling. CVE-2017-13855: Jann Horn of Google Project Zero
Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-13865: Ian Beer of Google Project Zero CVE-2017-13868: Brandon Azad CVE-2017-13869: Jann Horn of Google Project Zero
WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7156: an anonymous researcher CVE-2017-7157: an anonymous researcher CVE-2017-13856: Jeonghoon Shin CVE-2017-13870: an anonymous researcher CVE-2017-13866: an anonymous researcher Entry added December 13, 2017
Wi-Fi Available for: Apple TV (4th generation) Released for Apple TV 4K in tvOS 11.1. Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
Installation note:
Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software."
To check the current version of software, select "Settings -> General -> About."
tvOS 11.2.1 is now available and addresses the following:
HomeKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: A remote attacker may be able to unexpectedly alter application state Description: A message handling issue was addressed with improved input validation. CVE-2017-13903: Tian Zhang
Installation note:
Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software."
To check the current version of software, select "Settings -> General -> About."
iOS 11.2.1 is now available and addresses the following:
HomeKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A remote attacker may be able to unexpectedly alter application state Description: A message handling issue was addressed with improved input validation. CVE-2017-13903: Tian Zhang
Installation note:
This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings * Select General * Select About. The version after applying this update will be "11.2.1".
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/