-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-10-30-5 tvOS 12.1 tvOS 12.1 is now available and addresses the following: CoreCrypto Available for: Apple TV 4K and Apple TV (4th generation) Impact: An attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers Description: An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes. CVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of Royal Holloway, University of London, and Juraj Somorovsky of Ruhr University, Bochum ICU Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4394: an anonymous researcher IPSec Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to gain elevated privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2018-4420: Mohamed Ghannam (@_simo36) Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security Team Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4419: Mohamed Ghannam (@_simo36) NetworkExtension Available for: Apple TV 4K and Apple TV (4th generation) Impact: Connecting to a VPN server may leak DNS queries to a DNS proxy Description: A logic issue was addressed with improved state management. CVE-2018-4369: an anonymous researcher WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4372: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea CVE-2018-4382: lokihardt of Google Project Zero CVE-2018-4386: lokihardt of Google Project Zero CVE-2018-4392: zhunki of 360 ESG Codesafe Team CVE-2018-4416: lokihardt of Google Project Zero WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious website may be able to cause a denial of service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2018-4409: Sabri Haddouche (@pwnsdx) of Wire Swiss GmbH WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to code execution Description: A memory corruption issue was addressed with improved validation. CVE-2018-4378: an anonymous researcher, zhunki of 360 ESG Codesafe Team WiFi Available for: Apple TV 4K and Apple TV (4th generation) Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile Networking Lab at Technische UniversitA$?t Darmstadt Additional recognition Certificate Signing We would like to acknowledge YiAit Can YILMAZ (@yilmazcanyigit) for their assistance. Security We would like to acknowledge Marinos Bernitsas of Parachute for their assistance. Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3GlRw/7 B26eM0inif5Z1FZpS7IahAaEDjdzKHQ6gfxMn/qk/LlhiiZmh81phm2Xj2wimdEt 5fNLZAsxX7MKkyS3wxdjC7zLRVV0tFkSZ5YsZkYfeIhc4HqEhVtG2suRdlDK0yJV BCiT4FBfo6l9HvQM+sQEPfe+5ILw74IuAyOfoQWHPCQZccH5BnysEzn+UVqGClgR +lnCkhgsok5tFg+DzQeZMvkXsW9ddweUTPF26UhjKZbCnhrvBe4QMQRyh+2nY8Vt UswV3SVzstW6PUtAlY7+TIsDaKgeWUV9DeKsOIDr7orK7cKDR4pr0khwR/k0yLUo X5Pt4L5zfNGw0ugEIVmT46wSEQJ3RWn9bTUAIyxJBX1x1HN38bJuSHqTgmtMqhO7 JDxXUGIRLYLrye/zopNh2Pa/0hwXjmaJp+YyU2RorUWspK2GIuFHeirxJVRrtfG+ 44T7qw68xdWG2oAaUFL026HXwYfuohH992q/dAXOIClBx3uha21ORArQ0IpZkFJe TqpS+LsC8qA/Q47gWJD7TDDiPfq2d7s8tRf7agjLj++/Roz0uV4MffwZTI5NgoMn Dn7LHFdvhLoGNYg7pSaAhT2QMIork710EvSi9w+k68PsPWpwLOdpY8vbLqH3XPfe iLQmRA7I+M2b9RS1V7FpjBEIXmIGJ6JP83ISl74ew3E= =ifDV -----END PGP SIGNATURE-----