APPLE-SA-2016-09-20

APPLE-SA-2016-09-20-3

APPLE-SA-2016-09-20-5

APPLE-SA-2016-09-20-6

DSA-3709

93054

1036858

FEDORA-2019-320d5295fc

https://support.apple.com/HT207141

https://support.apple.com/HT207142

https://support.apple.com/HT207143

https://support.apple.com/HT207170

Update to 1.1.33

Fix CVE-2016-1841, CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, CVE-2016-4609, CVE-2019-11068, CVE-2016-1684, CVE-2016-1683, CVE-2016-4738.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201804-01 (libxslt: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libxslt. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker, via a crafted HTML page, could possibly execute       arbitrary code, cause a Denial of Service condition or leak information.
  Workaround :

    There is no known workaround at this time.

GitLab reports :

Please reference CVE/URL list for details

This update for libxslt fixes the following security issues :

  - CVE-2017-5029: The xsltAddTextString function in     transform.c lacked a check for integer overflow during a     size calculation, which allowed a remote attacker to     perform an out of bounds memory write via a crafted HTML     page (bsc#1035905).

  - CVE-2016-4738: Fix heap overread in     xsltFormatNumberConversion: An empty decimal-separator     could cause a heap overread. This can be exploited to     leak a couple of bytes after the buffer that holds the     pattern string (bsc#1005591).

  - CVE-2015-9019: Properly initialize random generator     (bsc#934119).

  - CVE-2015-7995: Vulnerability in function     xsltStylePreCompute' in preproc.c could cause a type     confusion leading to DoS. (bsc#952474) This update was     imported from the SUSE:SLE-12:Update update project.

This update for libxslt fixes the following issues :

  - CVE-2017-5029: The xsltAddTextString function in     transform.c lacked a check for integer overflow during a     size calculation, which allowed a remote attacker to     perform an out of bounds memory write via a crafted HTML     page (bsc#1035905).

  - CVE-2016-4738: Fix heap overread in     xsltFormatNumberConversion: An empty decimal-separator     could cause a heap overread. This can be exploited to     leak a couple of bytes after the buffer that holds the     pattern string (bsc#1005591).

  - CVE-2015-9019: Properly initialize random generator     (bsc#934119).

  - CVE-2015-7995: Vulnerability in function     xsltStylePreCompute' in preproc.c could cause a type     confusion leading to DoS. (bsc#952474)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Holger Fuhrmannek discovered an integer overflow in the xsltAddTextString() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possible execute arbitrary code.
(CVE-2017-5029)

Nicolas Gregoire discovered that Libxslt mishandled namespace nodes.
An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbtrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683)

Sebastian Apelt discovered that a use-after-error existed in the xsltDocumentFunctionLoadDocument() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1841)

It was discovered that a type confusion error existed in the xsltStylePreCompute() function in Libxslt. An attacker could use this to craft a malicious XML file that, when opened, caused a denial of service (application crash). This issue only affected Ubuntu 14.04 LTS and Ubuntu 12.04 LTS. (CVE-2015-7995)

Nicolas Gregoire discovered the Libxslt mishandled the 'i' and 'a' format tokens for xsl:number data. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash). This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1684)

It was discovered that the xsltFormatNumberConversion() function in Libxslt did not properly handle empty decimal separators. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash). This issue only affected Ubuntu 16.10, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-4738).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Nick Wellnhofer discovered that the xsltFormatNumberConversion function in libxslt, an XSLT processing runtime library, does not properly check for a zero byte terminating the pattern string. This flaw can be exploited to leak a couple of bytes after the buffer that holds the pattern string.

A heap overread bug was found in libxslt, which can cause arbitrary code execution or denial of service.

For Debian 7 'Wheezy', these problems have been fixed in version 1.1.26-14.1+deb7u2.

We recommend that you upgrade your libxslt packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X version 10.x prior to 10.12, and is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2016-4694)
 - apache_mod_php (CVE-2016-5768, CVE-2016-5769, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6174, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297)
 - Apple HSSPI Support (CVE-2016-4697)
 - AppleEFIRuntime (CVE-2016-4696)
 - AppleMobileFileIntegrity (CVE-2016-4698)
 - AppleUUC (CVE-2016-4699, CVE-2016-4700)
 - Application Firewall (CVE-2016-4701)
 - ATS (CVE-2016-4779)
 - Audio (CVE-2016-4702)
 - Bluetooth (CVE-2016-4703)
 - cd9660 (CVE-2016-4706)
 - CFNetwork (CVE-2016-4707, CVE-2016-4708)
 - CommonCrypto (CVE-2016-4711)
 - CoreCrypto (CVE-2016-4712)
 - CoreDisplay (CVE-2016-4713)
 - curl (CVE-2016-0755, CVE-2016-4606)
 - Date & Time Pref Pane (CVE-2016-4715)
 - DiskArbitration (CVE-2016-4716)
 - File Bookmark (CVE-2016-4717)
 - FontParser (CVE-2016-4718)
 - IDS - Connectivity (CVE-2016-4722)
 - Intel Graphics Driver (CVE-2016-4723, CVE-2016-7582)
 - IOAcceleratorFamily (CVE-2016-4724, CVE-2016-4725, CVE-2016-4726)
 - IOThunderboltFamily (CVE-2016-4727)
 - Kerberos v5 PAM module (CVE-2016-4745)
 - Kernel (CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4775, CVE-2016-4776, CVE-2016-4777, CVE-2016-4778)
 - lib archive (CVE-2016-4736)
 - libxml2 (CVE-2016-4658, CVE-2016-5131)
 - libxpc (CVE-2016-4617)
 - libxslt (CVE-2016-4738)
 - mDNSResponder (CVE-2016-4739)
 - NSSecureTextField (CVE-2016-4742)
 - Perl (CVE-2016-4748, CVE-2016-4750)
 - Security (CVE-2016-4752, CVE-2016-4753)
 - Terminal (CVE-2016-4755)
 - WindowServer (CVE-2016-4709, CVE-2016-4710)

Versions of Apple TV earlier than 10.0 are vulnerable to the following issues :

 - A flaw exists in libxml2 that is triggered as certain input is not properly validated.  This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4658)
 - A flaw exists in FontParser that is triggered during the handling of a specially crafted font file. This may allow a context-dependent attacker to disclose information in process memory. (CVE-2016-4718)
 - An unspecified flaw exists in IOAcceleratorFamily that may allow a context-dependent attacker to disclose arbitrary contents of the memory.  No further details have been provided. (CVE-2016-4725)
 - A flaw exists in IOAcceleratorFamily that is triggered as certain input is not properly validated.  This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4726)
 - A flaw exists in libxslt that is triggered as certain input is not properly validated.  This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4738)
 - A flaw exists that is triggered during the handling of a signed disk image.  This may allow a local attacker to gain elevated privileges.  No further details have been provided by the vendor. (CVE-2016-4753)
 - A flaw exists in the kernel that is triggered as the system fails to properly handle locking.  This may allow a remote attacker to cause a denial of service. (CVE-2016-4772)
 - An out-of-bounds read flaw exists in the Kernel that that may allow a local attacker to disclose the contents of memory.  No further details have been provided. (CVE-2016-4773)
 - An out-of-bounds read flaw exists in the Kernel that that may allow a local attacker to disclose the contents of memory.  No further details have been provided. (CVE-2016-4774)
 - A flaw exists in the Kernel that is triggered as certain input is not properly validated.  This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4775)
 - An out-of-bounds read flaw exists in the Kernel that that may allow a local attacker to disclose the contents of memory.  No further details have been provided. (CVE-2016-4776)
 - An untrusted pointer dereference flaw exists in the Kernel that may allow a local attacker to gain elevated privileges.  No further details have been provided by the vendor. (CVE-2016-4777)
 - A flaw exists in the Kernel that is triggered as certain input is not properly validated.  This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4778)

The version of iOS running on the mobile device is prior to 10.0, and is affected by multiple vulnerabilities in the following components :

 - AppleMobileFileIntegrity (CVE-2016-4698)
 - Assets (CVE-2016-4741)
 - Audio (CVE-2016-4702)
 - CFNetwork (CVE-2016-4707, CVE-2016-4708)
 - CommonCrypto (CVE-2016-4711, CVE-2016-4712)
 - FontParser (CVE-2016-4718)
 - GeoServices (CVE-2016-4719)
 - IDS - Connectivity (CVE-2016-4722)
 - IOAcceleratorFamily (CVE-2016-4724, CVE-2016-4725, CVE-2016-4726)
 - Kernel (CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4776, CVE-2016-4777, CVE-2016-4778)
 - Keyboards (CVE-2016-4746)
 - libxml2 (CVE-2016-4658, CVE-2016-5131)
 - libxslt (CVE-2016-4738)
 - Mail (CVE-2016-4747)
 - Messages (CVE-2016-4740)
 - Printing UIKit (CVE-2016-4749)
 - S2 Camera (CVE-2016-4750)
 - Safari Reader (CVE-2016-4618)
 - Sandbox Profiles (CVE-2016-4620)
 - Security (CVE-2016-4753)
 - Springboard (CVE-2016-7759)
 - WebKit (CVE-2016-4728, CVE-2016-4758, CVE-2016-4611, CVE-2016-4729, CVE-2016-4730, CVE-2016-4731, CVE-2016-4734, CVE-2016-4735, CVE-2016-4737, CVE-2016-4759, CVE-2016-4762, CVE-2016-4766, CVE-2016-4767, CVE-2016-4768, CVE-2016-4760, CVE-2016-4733, CVE-2016-4765, CVE-2016-4763)

According to its banner, the version of Apple TV on the remote device is prior to 10. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Audio
  - CFNetwork
  - CoreCrypto
  - FontParser
  - IOAcceleratorFamily
  - Kernel
  - libxml2
  - libxslt
  - Security
  - WebKit

Note that only 4th generation models are affected by these vulnerabilities.

The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, or is not macOS 10.12. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple HSSPI Support
  - AppleEFIRuntime
  - AppleMobileFileIntegrity
  - AppleUCC
  - Application Firewall
  - ATS
  - Audio
  - Bluetooth
  - cd9660
  - CFNetwork
  - CommonCrypto
  - CoreCrypto
  - CoreDisplay
  - curl
  - Date & Time Pref Pane
  - DiskArbitration
  - File Bookmark
  - FontParser
  - IDS - Connectivity
  - ImageIO
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOThunderboltFamily
  - Kerberos v5 PAM module
  - Kernel
  - libarchive
  - libxml2
  - libxpc
  - libxslt
  - mDNSResponder
  - NSSecureTextField
  - Perl
  - S2 Camera
  - Security
  - Terminal
  - WindowServer

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

ID	Name	Product	Family	Severity
126015	Fedora 30 : mingw-libxslt (2019-320d5295fc)	Nessus	Fedora Local Security Checks	high
108821	GLSA-201804-01 : libxslt: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
103237	FreeBSD : GitLab -- multiple vulnerabilities (6a177c87-9933-11e7-93f7-d43d7e971a1b)	Nessus	FreeBSD Local Security Checks	high
100367	openSUSE Security Update : libxslt (openSUSE-2017-609)	Nessus	SuSE Local Security Checks	high
100243	SUSE SLED12 / SLES12 Security Update : libxslt (SUSE-SU-2017:1313-1)	Nessus	SuSE Local Security Checks	high
100208	SUSE SLES11 Security Update : libxslt (SUSE-SU-2017:1282-1)	Nessus	SuSE Local Security Checks	high
99725	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : libxslt vulnerabilities (USN-3271-1)	Nessus	Ubuntu Local Security Checks	high
94645	Debian DSA-3709-1 : libxslt - security update	Nessus	Debian Local Security Checks	high
94583	Debian DLA-700-1 : libxslt security update	Nessus	Debian Local Security Checks	high
9620	Mac OS X 10.x < 10.12 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
9621	Apple TV < 10.0 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	critical
9619	Apple iOS < 10.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	critical
93776	Apple TV < 10 Multiple Vulnerabilities	Nessus	Misc.	critical
93685	macOS < 10.12 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical

CVE-2016-4738

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins