------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2016-0004 ------------------------------------------------------------------------ Date reported : May 30, 2016 Advisory ID : WSA-2016-0004 Advisory URL : http://webkitgtk.org/security/WSA-2016-0004.html CVE identifiers : CVE-2016-1854, CVE-2016-1856, CVE-2016-1857, CVE-2016-1858, CVE-2016-1859. Several vulnerabilities were discovered in WebKitGTK+. CVE-2016-1854 Versions affected: WebKitGTK+ before 2.12.1. Credit to Anonymous working with Trend Micro's Zero Day Initiative. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1855, CVE-2016-1856, and CVE-2016-1857. CVE-2016-1856 Versions affected: WebKitGTK+ before 2.12.1. Credit to lokihardt working with Trend Micro's Zero Day Initiative. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1857. CVE-2016-1857 Versions affected: WebKitGTK+ before 2.12.3. Credit to Jeonghoon Shin@A.D.D and Liang Chen, Zhen Feng, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1856. CVE-2016-1858 Versions affected: WebKitGTK+ before 2.12.0. Credit to Anonymous. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tracks taint attributes, which allows remote attackers to obtain sensitive information via a crafted web site. CVE-2016-1859 Versions affected: WebKitGTK+ before 2.12.1. Credit to Liang Chen, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative. The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: http://webkitgtk.org/security.html The WebKitGTK+ team, May 30, 2016
Attachment:
signature.asc
Description: OpenPGP digital signature