-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4012
    Multiple vulnerabilities have been identified in Safari web browser
                              30 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple Safari
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8823 CVE-2019-8822 CVE-2019-8821
                   CVE-2019-8820 CVE-2019-8819 CVE-2019-8816
                   CVE-2019-8815 CVE-2019-8814 CVE-2019-8813
                   CVE-2019-8812 CVE-2019-8811 CVE-2019-8808
                   CVE-2019-8783 CVE-2019-8782 

Reference:         ESB-2019.4011
                   ESB-2019.4010
                   ESB-2019.4009

Original Bulletin: 
   https://support.apple.com/en-au/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2019-10-29-5 Safari 13.0.3

Safari 13.0.3 is now available and addresses the following:

WebKit
Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6,
and included in macOS Catalina 10.15.1
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8813: an anonymous researcher

WebKit
Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6,
and included in macOS Catalina 10.15.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8782: Cheolung Lee of LINE+ Security Team
CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team
CVE-2019-8808: found by OSS-Fuzz
CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech
CVE-2019-8812: an anonymous researcher
CVE-2019-8814: Cheolung Lee of LINE+ Security Team
CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech
CVE-2019-8819: Cheolung Lee of LINE+ Security Team
CVE-2019-8820: Samuel GroÃ\x{159} of Google Project Zero
CVE-2019-8821: Sergei Glazunov of Google Project Zero
CVE-2019-8822: Sergei Glazunov of Google Project Zero
CVE-2019-8823: Sergei Glazunov of Google Project Zero

WebKit Process Model
Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6,
and included in macOS Catalina 10.15.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8815: Apple

Additional recognition

WebKit
We would like to acknowledge Dlive of Tencent's Xuanwu Lab and Zhiyi
Zhang of Codesafe Team of Legendsec at Qi'anxin Group for their
assistance.

Installation note:

Safari 13.0.3 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQJdBAEBCABHFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24p5UpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQBz4uGe3y0M1LAg//
fHUCPO59afw9n4DzZeFXpudIfkl/loz/UHJ8EpOf8KljSq0krbwAgY94o3brfpz1
Q9fZPWIfVJcijR2DdxA9qm2SKvzd5Z7mIpIJ1TBVGpU5Zi9iiqwincK8Q08HVMeP
k6/Ue5VV5GTPEdhaDMPTHooMIPiUg/i7NV6PJHcLf6xEGSmOsVOCgmfho9Nt1ZXr
eiUXJ7RG/4hmubbUUUNhBXLRy1dPHZYjweP5MJdezQitYSgHC/XBPktqRWqOblLT
XLppf+lX3957KoqoM2nxQ+UqF/ohIclYvBw5hgoqm4pTcNscixgoVfb+eyBtR2YB
n7Y4D0IBjDcqEiix6QmhqRGGgf8rH/2qCdIEcTIGffYBZngQMUWlc2x/MebiACkW
/jVun5wSILGVMd/qa9ol8gsH//lr23/BE4hD0pcD1JK49T4Zp66JzHLShiQ5sqQt
6AT2axARGOeyaLNFVVrJvxaEqeM1nhYvJw37X82qSr+8YGOrznG0sUJdaISbi6bz
v/YwV6Ek/6CTOMaTg1Xpgk50icAQm2cNnfBmnM/CEkUqS627Z/Y8RzKU+PFrlhuC
1AIrpyat47AdFUhJ+nbP29qfR8ANu0/GcLJPnC9aYqWftneI+V6hhs/9IvY+QQJS
9sWndqDp8uSKoG84352ubxPZNlBGAYOjwAZ3LvaO4tA=
=8wFb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXbj00GaOgq3Tt24GAQjK/Q/+KkCsg40gk0+6ihic86vM6s1ea7UO8ykz
+zESHxwBSh9p3w4i4ToJkQPXgbJVzdk7sL4kW//flxuKqcRr8Mwvh1bZxRG3UazE
n7ktd/dHZepMxnnObf3iSKyEEwn3I32W2W8wGLGeRL91QQkZ5+sx3jgw4hjVXY0C
WXSR9345q7o0KIIflRoM6putBP2jaxmaZ8/EcJFWRUQt3KEfQL24fDbaypOLTeqW
HKx/mg3kcK5Ms/uLb/UATgGZeLEba7CBamjGuKjpIYRxoCSocdjnkBiREqYV/z+2
0mCywhMTro4ZNWucIZQFxPA3x4ZZ/9t1/YOUA5TNLjpA70lVFtX2AgtYJ7Tb9ew/
FZSe2UBIFbFyPv54sBHe2sfXat0Tk0RRwcsjXIrQtTpFgYNY/RLCZRejB6AJ4s5D
Jx6BuW6pNM3UZX3TEOEoiOrsicIMJqeI1zlmjw0C0nDgPv6lzZEAu0i3S6vYeehr
S0fxdvwGFxNw8AsPS6xbjNP+E53MHTrz+xIcuMno1UR2w8oEtJoRWVw+jy4JW3Ak
GEdP68zNBPePeHOkc0fuaWhq8z/76XZ3dIUyuyACBiVmbk2CKERd8CzZW4lXGQmJ
iJCtHhVuVcDjgCfSxa7LMZVQWzw0heEP8VS5AwDpGQtSDyXliqy2NOHAZN3mf9XA
yryl9ORN3Fc=
=xlrG
-----END PGP SIGNATURE-----