APPLE-SA-2017-01-23-4 tvOS 10.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-01-23-4 tvOS 10.1.1

tvOS 10.1.1 is now available and addresses the following:

Kernel
Available for:  Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2370: Ian Beer of Google Project Zero

Kernel
Available for:  Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2360: Ian Beer of Google Project Zero

libarchive
Available for:  Apple TV (4th generation)
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencents Xuanwu Lab (tencent.com) working
with Trend Micros Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2369: Ivan Fratric of Google Project Zero

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: Multiple validation issues existed in the handling of
page loading. This issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A validation issue existed in variable handling. This
issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero

Additional recognition

WebKit hardening
We would like to acknowledge Ben Gras, Kaveh Razavi, Erik Bosman,
Herbert Bos, and Cristiano Giuffrida of the vusec group at
Vrije Universiteit Amsterdam for their assistance.

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software.=E2=80=9D

To check the current version of software, select
"Settings -> General -> About.=E2=80=9D

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apples Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJYgqLhAAoJEIOj74w0bLRGY6EQAML8K3D+sOlvbhCidcaoAbWw
Vn2IGFG4J/Rn7MqomPasMMuKKFXAMyqb3HAfUAgCRqSjuFfwPkzo+nTSIQJRHI+X
SnjsOXGUzaL+/xRz1gQyDDvlNhUMvdONZIdy/guDEXj8VbR8CAa1aGsGxWtCFSCK
pGyYzQuTRSkqaFZJwRNGuHSJoplTZZcu6/VvHI5ZKxFcbMJ0QV3yXUL4abQ2vQjN
JkVqm9TARVAJMMXAO77goU0lqrq1ffkW+TYyTdGPz4u8fI08uQ5E8W/MkUj9OdNj
sgKL8D8YvfDSEXrzoBoNXEQzWAj8rHWEbA187g4u071ja1sd5laQG69Z1L02CkOg
V8pudQaEM5zmSlvnjxKsByS6I3PtLZxffL6yx9Bgv63h+ai/L53VKkqPTFI1GR3q
6rAf+Ky8s6Z4/y7zcaN7TJ9oG82x5bTI5h3R5WmcALOQLJsk+47guYh6ZxSVTcbw
e9oITPRxYqeUzW4u7eOBkWs3i+v+p3hMlY4CGBoUyF0Jb8kH5CaIJNLtvhHC0Ek0
c8PKoG/LpkBoXyiWaTsgQEx/6iMxDtYYiELMLq0gNBrxewz1YWYYE4647kKWjITM
VKtjAJcpCKmXjObE0JufSY79kyT1AQQXab1sZ2HWpdoeaOfz3TDkbLs2lPObgJdo
UOrsZPgApcrRvf+dzocG
=3Duwig
-----END PGP SIGNATURE-----