Posted by ERPScan inc on Jan 23
Application: Java SE
Vendor: Oracle
Bug: DoS
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 17.01.2017
Reference: Oracle CPU Jan 2017
Author: Roman Shalymov
1. ADVISORY INFORMATION
Title: Oracle OpenJDK – Java Serialization DoS
Advisory ID: [ERPSCAN-17-006]
Risk: High
Advisory URL:
https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/
Date published: 17.01.2017…
Posted by Apple Product Security on Jan 23
APPLE-SA-2017-01-23-1 iOS 10.2.1
iOS 10.2.1 is now available and addresses the following:
Auto Unlock
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Auto Unlock may unlock when Apple Watch is off the user’s
wrist
Description: A logic issue was addressed through improved state
management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd
Contacts
Available for: iPhone 5…
Posted by Apple Product Security on Jan 23
APPLE-SA-2017-01-23-2 macOS 10.12.3
macOS 10.12.3 is now available and addresses the following:
apache_mod_php
Available for: macOS Sierra 10.12.2
Impact: Multiple issues in PHP
Description: Multiple issues were addressed by updating to PHP
version 5.6.28.
CVE-2016-8670
CVE-2016-9933
CVE-2016-9934
Bluetooth
Available for: macOS Sierra 10.12.2
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A…
Posted by Apple Product Security on Jan 23
APPLE-SA-2017-01-23-3 watchOS 3.1.3
watchOS 3.1.3 is now available and addresses the following:
Accounts
Available for: All Apple Watch models
Impact: Uninstalling an app did not reset the authorization settings
Description: An issue existed which did not reset the authorization
settings on app uninstall. This issue was addressed through improved
sanitization.
CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro
Audio
Available for: All Apple…
Posted by Apple Product Security on Jan 23
APPLE-SA-2017-01-23-4 tvOS 10.1.1
tvOS 10.1.1 is now available and addresses the following:
Kernel
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2370: Ian Beer of Google Project Zero
Kernel
Available for: Apple TV (4th generation)
Impact: An application may be able to…
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a “regular expression denial of service (ReDoS).”
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a “catastrophic backtracking issue for the em inline rule,” aka a “regular expression denial of service (ReDoS).”
Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.