Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4012 Multiple vulnerabilities have been identified in Safari web browser 30 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple Safari Publisher: Apple Operating System: OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-8823 CVE-2019-8822 CVE-2019-8821 CVE-2019-8820 CVE-2019-8819 CVE-2019-8816 CVE-2019-8815 CVE-2019-8814 CVE-2019-8813 CVE-2019-8812 CVE-2019-8811 CVE-2019-8808 CVE-2019-8783 CVE-2019-8782 Reference: ESB-2019.4011 ESB-2019.4010 ESB-2019.4009 Original Bulletin: https://support.apple.com/en-au/HT201222 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-10-29-5 Safari 13.0.3 Safari 13.0.3 is now available and addresses the following: WebKit Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8813: an anonymous researcher WebKit Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8782: Cheolung Lee of LINE+ Security Team CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team CVE-2019-8808: found by OSS-Fuzz CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech CVE-2019-8812: an anonymous researcher CVE-2019-8814: Cheolung Lee of LINE+ Security Team CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech CVE-2019-8819: Cheolung Lee of LINE+ Security Team CVE-2019-8820: Samuel GroÃ\x{159} of Google Project Zero CVE-2019-8821: Sergei Glazunov of Google Project Zero CVE-2019-8822: Sergei Glazunov of Google Project Zero CVE-2019-8823: Sergei Glazunov of Google Project Zero WebKit Process Model Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8815: Apple Additional recognition WebKit We would like to acknowledge Dlive of Tencent's Xuanwu Lab and Zhiyi Zhang of Codesafe Team of Legendsec at Qi'anxin Group for their assistance. Installation note: Safari 13.0.3 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24p5UpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQBz4uGe3y0M1LAg// fHUCPO59afw9n4DzZeFXpudIfkl/loz/UHJ8EpOf8KljSq0krbwAgY94o3brfpz1 Q9fZPWIfVJcijR2DdxA9qm2SKvzd5Z7mIpIJ1TBVGpU5Zi9iiqwincK8Q08HVMeP k6/Ue5VV5GTPEdhaDMPTHooMIPiUg/i7NV6PJHcLf6xEGSmOsVOCgmfho9Nt1ZXr eiUXJ7RG/4hmubbUUUNhBXLRy1dPHZYjweP5MJdezQitYSgHC/XBPktqRWqOblLT XLppf+lX3957KoqoM2nxQ+UqF/ohIclYvBw5hgoqm4pTcNscixgoVfb+eyBtR2YB n7Y4D0IBjDcqEiix6QmhqRGGgf8rH/2qCdIEcTIGffYBZngQMUWlc2x/MebiACkW /jVun5wSILGVMd/qa9ol8gsH//lr23/BE4hD0pcD1JK49T4Zp66JzHLShiQ5sqQt 6AT2axARGOeyaLNFVVrJvxaEqeM1nhYvJw37X82qSr+8YGOrznG0sUJdaISbi6bz v/YwV6Ek/6CTOMaTg1Xpgk50icAQm2cNnfBmnM/CEkUqS627Z/Y8RzKU+PFrlhuC 1AIrpyat47AdFUhJ+nbP29qfR8ANu0/GcLJPnC9aYqWftneI+V6hhs/9IvY+QQJS 9sWndqDp8uSKoG84352ubxPZNlBGAYOjwAZ3LvaO4tA= =8wFb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbj00GaOgq3Tt24GAQjK/Q/+KkCsg40gk0+6ihic86vM6s1ea7UO8ykz +zESHxwBSh9p3w4i4ToJkQPXgbJVzdk7sL4kW//flxuKqcRr8Mwvh1bZxRG3UazE n7ktd/dHZepMxnnObf3iSKyEEwn3I32W2W8wGLGeRL91QQkZ5+sx3jgw4hjVXY0C WXSR9345q7o0KIIflRoM6putBP2jaxmaZ8/EcJFWRUQt3KEfQL24fDbaypOLTeqW HKx/mg3kcK5Ms/uLb/UATgGZeLEba7CBamjGuKjpIYRxoCSocdjnkBiREqYV/z+2 0mCywhMTro4ZNWucIZQFxPA3x4ZZ/9t1/YOUA5TNLjpA70lVFtX2AgtYJ7Tb9ew/ FZSe2UBIFbFyPv54sBHe2sfXat0Tk0RRwcsjXIrQtTpFgYNY/RLCZRejB6AJ4s5D Jx6BuW6pNM3UZX3TEOEoiOrsicIMJqeI1zlmjw0C0nDgPv6lzZEAu0i3S6vYeehr S0fxdvwGFxNw8AsPS6xbjNP+E53MHTrz+xIcuMno1UR2w8oEtJoRWVw+jy4JW3Ak GEdP68zNBPePeHOkc0fuaWhq8z/76XZ3dIUyuyACBiVmbk2CKERd8CzZW4lXGQmJ iJCtHhVuVcDjgCfSxa7LMZVQWzw0heEP8VS5AwDpGQtSDyXliqy2NOHAZN3mf9XA yryl9ORN3Fc= =xlrG -----END PGP SIGNATURE-----