-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-05-15-3 tvOS 10.2.1 tvOS 10.2.1 is now available and addresses the following: AVEVideoEncoder Available for: Apple TV (4th generation) Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team CoreAudio Available for: Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team IOSurface Available for: Apple TV (4th generation) Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6979: Adam Donenfeld of Zimperium zLabs Kernel Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed through improved locking. CVE-2017-2501: Ian Beer of Google Project Zero Kernel Available for: Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2507: Ian Beer of Google Project Zero CVE-2017-6987: Patrick Wardle of Synack SQLite Available for: Apple TV (4th generation) Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A use after free issue was addressed through improved memory management. CVE-2017-2513: found by OSS-Fuzz SQLite Available for: Apple TV (4th generation) Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-2518: found by OSS-Fuzz CVE-2017-2520: found by OSS-Fuzz SQLite Available for: Apple TV (4th generation) Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2519: found by OSS-Fuzz TextInput Available for: Apple TV (4th generation) Impact: Parsing maliciously crafted data may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2524: Ian Beer of Google Project Zero WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management. CVE-2017-2504: lokihardt of Google Project Zero WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-2505: lokihardt of Google Project Zero CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Microas Zero Day Initiative CVE-2017-2515: lokihardt of Google Project Zero CVE-2017-2521: lokihardt of Google Project Zero CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab ( tencent.com) working with Trend Microas Zero Day Initiative CVE-2017-2530: Wei Yuan of Baidu Security Lab CVE-2017-2531: lokihardt of Google Project Zero CVE-2017-6980: lokihardt of Google Project Zero CVE-2017-6984: lokihardt of Google Project Zero WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues with addressed through improved memory handling. CVE-2017-2536: Samuel GroA and Niklas Baumstark working with Trend Micro's Zero Day Initiative WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in frame loading. This issue was addressed with improved state management. CVE-2017-2549: lokihardt of Google Project Zero WebKit Web Inspector Available for: Apple TV (4th generation) Impact: An application may be able to execute unsigned code Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2499: George Dan (@theninjaprawn) Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software.a To check the current version of software, select "Settings -> General -> About.a Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZGdmLAAoJEIOj74w0bLRGTv0QALXtcCO+P0UQrA8OdpvNFaYM wLPRoyGpEpnLo1acqD6bhILsI3aC+sPby7OyPhWYVVYSiJu11AYW0z51nYIo6Yua 3Gn1BnksriTPQo6o7gJf65ZSvFj5gew90tfpQI634ywolMcpU98lbDMimKxqGxXl fALlrapTntZEvYHuHiSVXEh823ZQWKIjzHuJBPWq7TqcCQt09cbeYCHVtqf+43jm hqWCIQ1CePLhhsBUy2ZwsYqD5TRiEZGLTQiSgBX8iWHRLm5D6hoi05PeDrK5fNma nz2doNMDPkYY7TIR0cnfrKR9Q/Oy6C7C/wX17Kv7iaGpg66f5hSf+JFTreJCg21E DJYxuty2sf0+DnxNvkczGHChnv/hPc5yLozKuMu62VdiAtuCTd/93s52WZTT1ZPi NsKi/TKHRcV5EH/j453f3o9RRnaqtFcrVv2Jp+WK6e2/s6qlQUCwH3o99lR14Cn3 1VyJEMj3S6SL125RbfM8aRsIyqsPY0aKCayA1/prDbjEZOv4urnDQid2hFeGGviW RxoH8N8Y3j2z/bkJ9LQApekOF8MAv9yWmhpklnOWLeL/bGAsEschQMrkkiGwe87D WILIbwTJzEs++U+PF5NIgXytiLzrqmHCOmjTA595q8pfkIU0WSQV4tGMNieptDJZ n4lw8wPv5laa5ARIQHP/ =94LN -----END PGP SIGNATURE-----