libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
Monthly Archives: May 2016
CVE-2016-1838 (apple_tv, iphone_os, mac_os_x, watchos)
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840.
CVE-2016-1839 (apple_tv, iphone_os, mac_os_x, watchos)
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840.
CVE-2016-1840 (apple_tv, iphone_os, mac_os_x, watchos)
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839.
CVE-2016-1841 (apple_tv, iphone_os, mac_os_x, watchos)
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
CVE-2016-1842 (iphone_os, mac_os_x, watchos)
MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.
CVE-2016-1843 (mac_os_x)
The Messages component in Apple OS X before 10.11.5 mishandles filename encoding, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2016-1844 (mac_os_x)
The Messages component in Apple OS X before 10.11.5 mishandles roster changes, which allows remote attackers to modify contact lists via unspecified vectors.
CVE-2016-1846 (mac_os_x)
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Important Security-Bulletin Pre-Announcement
[UPDATE] Add clarification regarding TYPO3 4.5
The TYPO3 security team has identified a critical security issue in the TYPO3 CMS Core.
All TYPO3 versions from 4.x to 8.1 are affected by this vulnerability. This means also TYPO3 version 4.5 (including 4.5 ELTS) is affected by this vulnerability.
Besides regular releases for supported branches (TYPO3 6.2.x, TYPO3 7.6.x, TYPO3 8.x), we will also provide patches for affected but unmaintained TYPO3 versions, because of the severity of this vulnerability.
Be prepared to update all your TYPO3 installations next Tuesday!
Please understand that we cannot provide any further information until the advisory has been published.
CVSS v2.0 data on the to be released advisory:
AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (Base Score: 9.3, Temporal Score: 7.7)