95735

1037668

GLSA-201706-15

https://support.apple.com/HT207482

41451

This update for webkit2gtk3 fixes the following issues :

Update to version 2.18.5 :

  + Disable SharedArrayBuffers from Web API.

  + Reduce the precision of 'high' resolution time to 1ms.

  + bsc#1075419 - Security fixes: includes improvements to     mitigate the effects of Spectre and Meltdown     (CVE-2017-5753 and CVE-2017-5715).

Update to version 2.18.4 :

  + Make WebDriver implementation more spec compliant.

  + Fix a bug when trying to remove cookies before a web     process is spawned.

  + WebKitWebDriver process no longer links to     libjavascriptcoregtk.

  + Fix several memory leaks in GStreamer media backend.

  + bsc#1073654 - Security fixes: CVE-2017-13866,     CVE-2017-13870, CVE-2017-7156, CVE-2017-13856.

Update to version 2.18.3 :

  + Improve calculation of font metrics to prevent     scrollbars from being shown unnecessarily in some cases.

  + Fix handling of null capabilities in WebDriver     implementation.

  + Security fixes: CVE-2017-13798, CVE-2017-13788,     CVE-2017-13803.

Update to version 2.18.2 :

  + Fix rendering of arabic text.

  + Fix a crash in the web process when decoding GIF images.

  + Fix rendering of wind in Windy.com.

  + Fix several crashes and rendering issues.

Update to version 2.18.1 :

  + Improve performance of GIF animations.

  + Fix garbled display in GMail.

  + Fix rendering of several material design icons when     using the web font.

  + Fix flickering when resizing the window in Wayland.

  + Prevent default kerberos authentication credentials from     being used in ephemeral sessions.

  + Fix a crash when webkit_web_resource_get_data() is     cancelled.

  + Correctly handle touchmove and touchend events in     WebKitWebView.

  + Fix the build with enchant 2.1.1.

  + Fix the build in HPPA and Alpha.

  + Fix several crashes and rendering issues.

  + Security fixes: CVE-2017-7081, CVE-2017-7087,     CVE-2017-7089, CVE-2017-7090, CVE-2017-7091,     CVE-2017-7092, CVE-2017-7093, CVE-2017-7094,     CVE-2017-7095, CVE-2017-7096, CVE-2017-7098,     CVE-2017-7099, CVE-2017-7100, CVE-2017-7102,     CVE-2017-7104, CVE-2017-7107, CVE-2017-7109,     CVE-2017-7111, CVE-2017-7117, CVE-2017-7120,     CVE-2017-7142.

  - Enable gold linker on s390/s390x on SLE15/Tumbleweed.

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for webkit2gtk3 fixes the following issues: Update to version 2.18.5 :

  + Disable SharedArrayBuffers from Web API.

  + Reduce the precision of 'high' resolution time to 1ms.

  + bsc#1075419 - Security fixes: includes improvements to     mitigate the effects of Spectre and Meltdown     (CVE-2017-5753 and CVE-2017-5715). Update to version     2.18.4 :

  + Make WebDriver implementation more spec compliant.

  + Fix a bug when trying to remove cookies before a web     process is spawned.

  + WebKitWebDriver process no longer links to     libjavascriptcoregtk.

  + Fix several memory leaks in GStreamer media backend.

  + bsc#1073654 - Security fixes: CVE-2017-13866,     CVE-2017-13870, CVE-2017-7156, CVE-2017-13856. Update to     version 2.18.3 :

  + Improve calculation of font metrics to prevent     scrollbars from being shown unnecessarily in some cases.

  + Fix handling of null capabilities in WebDriver     implementation.

  + Security fixes: CVE-2017-13798, CVE-2017-13788,     CVE-2017-13803. Update to version 2.18.2 :

  + Fix rendering of arabic text.

  + Fix a crash in the web process when decoding GIF images.

  + Fix rendering of wind in Windy.com.

  + Fix several crashes and rendering issues. Update to     version 2.18.1 :

  + Improve performance of GIF animations.

  + Fix garbled display in GMail.

  + Fix rendering of several material design icons when     using the web font.

  + Fix flickering when resizing the window in Wayland.

  + Prevent default kerberos authentication credentials from     being used in ephemeral sessions.

  + Fix a crash when webkit_web_resource_get_data() is     cancelled.

  + Correctly handle touchmove and touchend events in     WebKitWebView.

  + Fix the build with enchant 2.1.1.

  + Fix the build in HPPA and Alpha.

  + Fix several crashes and rendering issues.

  + Security fixes: CVE-2017-7081, CVE-2017-7087,     CVE-2017-7089, CVE-2017-7090, CVE-2017-7091,     CVE-2017-7092, CVE-2017-7093, CVE-2017-7094,     CVE-2017-7095, CVE-2017-7096, CVE-2017-7098,     CVE-2017-7099, CVE-2017-7100, CVE-2017-7102,     CVE-2017-7104, CVE-2017-7107, CVE-2017-7109,     CVE-2017-7111, CVE-2017-7117, CVE-2017-7120,     CVE-2017-7142.

  - Enable gold linker on s390/s390x on SLE15/Tumbleweed.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for webkit2gtk3 to version 2.18.0 fixes the following issues :

These security issues were fixed :

  - CVE-2017-7039: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7018: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7030: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7037: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7034: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7055: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7056: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7064: An issue was fixed that allowed remote     attackers to bypass intended memory-read restrictions     via a crafted app (bsc#1050469).

  - CVE-2017-7061: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7048: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7046: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-2538: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1045460)

  - CVE-2017-2496: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website.

  - CVE-2017-2539: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website.

  - CVE-2017-2510: An issue was fixed that allowed remote     attackers to conduct Universal XSS (UXSS) attacks via a     crafted website that improperly interacts with pageshow     events.

  - CVE-2017-2365: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted web site     (bsc#1024749)

  - CVE-2017-2366: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2373: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2363: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted web site     (bsc#1024749)

  - CVE-2017-2362: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2350: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted web site     (bsc#1024749)

  - CVE-2017-2350: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website     (bsc#1024749)

  - CVE-2017-2354: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749).

  - CVE-2017-2355: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (uninitialized memory access and application     crash) via a crafted website (bsc#1024749)

  - CVE-2017-2356: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2371: An issue was fixed that allowed remote     attackers to launch popups via a crafted website     (bsc#1024749)

  - CVE-2017-2364: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted web site     (bsc#1024749)

  - CVE-2017-2369: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2016-7656: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7635: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7654: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7639: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7645: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7652: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7641: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7632: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7599: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted web site that used     HTTP redirects (bsc#1020950)

  - CVE-2016-7592: An issue was fixed that allowed remote     attackers to obtain sensitive information via crafted     JavaScript prompts on a website (bsc#1020950)

  - CVE-2016-7589: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7623: An issue was fixed that allowed remote     attackers to obtain sensitive information via a blob URL     on a website (bsc#1020950)

  - CVE-2016-7586: An issue was fixed that allowed remote     attackers to obtain sensitive information via a crafted     website (bsc#1020950)

For other non-security fixes please check the changelog.

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for webkit2gtk3 to version 2.18.0 fixes the following issues: These security issues were fixed :

  - CVE-2017-7039: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7018: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7030: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7037: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7034: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7055: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7056: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7064: An issue was fixed that allowed remote     attackers to bypass intended memory-read restrictions     via a crafted app (bsc#1050469).

  - CVE-2017-7061: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7048: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-7046: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1050469).

  - CVE-2017-2538: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1045460)

  - CVE-2017-2496: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website.

  - CVE-2017-2539: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website.

  - CVE-2017-2510: An issue was fixed that allowed remote     attackers to conduct Universal XSS (UXSS) attacks via a     crafted website that improperly interacts with pageshow     events.

  - CVE-2017-2365: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website     (bsc#1024749)

  - CVE-2017-2366: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2373: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2363: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website     (bsc#1024749)

  - CVE-2017-2362: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2350: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website     (bsc#1024749)

  - CVE-2017-2350: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website     (bsc#1024749)

  - CVE-2017-2354: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749).

  - CVE-2017-2355: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (uninitialized memory access and application     crash) via a crafted website (bsc#1024749)

  - CVE-2017-2356: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2017-2371: An issue was fixed that allowed remote     attackers to launch popups via a crafted website     (bsc#1024749)

  - CVE-2017-2364: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website     (bsc#1024749)

  - CVE-2017-2369: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1024749)

  - CVE-2016-7656: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7635: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7654: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7639: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7645: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7652: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7641: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7632: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7599: An issue was fixed that allowed remote     attackers to bypass the Same Origin Policy and obtain     sensitive information via a crafted website that used     HTTP redirects (bsc#1020950)

  - CVE-2016-7592: An issue was fixed that allowed remote     attackers to obtain sensitive information via crafted     JavaScript prompts on a web site (bsc#1020950)

  - CVE-2016-7589: An issue was fixed that allowed remote     attackers to execute arbitrary code or cause a denial of     service (memory corruption and application crash) via a     crafted website (bsc#1020950)

  - CVE-2016-7623: An issue was fixed that allowed remote     attackers to obtain sensitive information via a blob URL     on a website (bsc#1020950)

  - CVE-2016-7586: An issue was fixed that allowed remote     attackers to obtain sensitive information via a crafted     website (bsc#1020950) For other non-security fixes     please check the changelog.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201706-15 (WebKitGTK+: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in WebKitGTK+. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attack can use multiple vectors to execute arbitrary code or       cause a denial of service condition.
  Workaround :

    There is no known workaround at this time.

This update addresses the following vulnerabilities :

  -     [CVE-2017-2350](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2350),     [CVE-2017-2354](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2354),     [CVE-2017-2355](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2355),     [CVE-2017-2356](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2356),     [CVE-2017-2362](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2362),     [CVE-2017-2363](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2363),     [CVE-2017-2364](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2364),     [CVE-2017-2365](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2365),     [CVE-2017-2366](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2366),     [CVE-2017-2369](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2369),     [CVE-2017-2371](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2371),     [CVE-2017-2373](https://cve.mitre.org/cgi-bin/cvename.cg     i?name=CVE-2017-2373)

Additional fixes :

  - Make accelerating compositing mode on-demand again. By     default it will only be used for websites that require     it, saving a lot of memory on websites that don&rsquo;t     need it.

  - Release unused UpdateAtlas and reduce the tile coverage     on memory pressure.

  - The media backend now stores preloaded media in /var/tmp     instead of user cache dir.

  - Make inspector work again when accelerated compositing     support is disabled.

  - Fix a deadlock when the media player is destroyed.

  - Fix network process crashes when loading custom URI     schemes.

  - Fix overlay scrollbars that are over a subframe.

  - Fix a crash in GraphicsContext3D::drawArrays when using     OpenGL 3.2 core profile.

  - Fix BadDamage X errors happening when resizing the     WebView.

  - Fix several crashes and rendering issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of iOS running on the mobile device is prior to 10.2.1, and is affected by multiple vulnerabilities :

 - A prototype access flaw exists that is triggered when handling exceptions. With specially crafted web content, a context-dependent attacker may exfiltrate cross-origin data. (CVE-2017-2350)
 - A flaw exists in WiFi that is triggered when handling user input. This may allow a physically present attacker to bypass the lock and briefly access the home screen. (CVE-2017-2351)
 - A logic flaw exists related to state management in Auto Unlock. This may allow a physically present attacker to potentially unlock a watch when it is off the user's wrist. (CVE-2017-2352)
 - A type confusion flaw exists that is triggered as input is not properly validated when handling 'SearchInputType' objects. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-2354)
 - An unspecified memory initialization flaw exists that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided. (CVE-2017-2355)
 - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2356, CVE-2017-2362, CVE-2017-2366, CVE-2017-2369, CVE-2017-2373)
 - A use-after-free error exists in the 'host_self_trap' mach trap. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2017-2360)
 - A flaw exists that is triggered as input is not properly validated when handling page loading. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2363, CVE-2017-2364)
 - A flaw exists that is triggered as input is not properly validated when handling variables. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2365)
 - A flaw exists in Contacts that is triggered as input is not properly validated during the handling of a specially crafted contact card. This may allow a context-dependent attacker to crash the system. (CVE-2017-2368)
 - An overflow condition exists in the 'mach_voucher_extract_attr_recipe_trap()' function that is triggered as certain input is not properly validated. This may allow a local attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2017-2370)
 - An unspecified flaw exists that may allow a context-dependent attacker to bypass popup restrictions via a specially crafted website. No further details have been provided. (CVE-2017-2371)

The remote host is running a version of macOS that is 10.12.x prior to 10.12.3. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - Bluetooth
  - Graphics Drivers
  - Help Viewer
  - IOAudioFamily
  - Kernel
  - libarchive
  - Vim
  - WebKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The version of Apple iOS running on the mobile device is prior to 10.2.1. It is, therefore, affected by multiple vulnerabilities in multiple components, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - Auto Unlock
  - Contacts
  - Kernel
  - libarchive
  - WebKit
  - WiFi

ID	Name	Product	Family	Severity
106549	openSUSE Security Update : webkit2gtk3 (openSUSE-2018-118) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
106370	SUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2018:0219-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
104526	openSUSE Security Update : webkit2gtk3 (openSUSE-2017-1268)	Nessus	SuSE Local Security Checks	medium
104428	SUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2017:2933-1)	Nessus	SuSE Local Security Checks	medium
100675	GLSA-201706-15 : WebKitGTK+: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
97448	Fedora 25 : webkitgtk4 (2017-0beb752b6e)	Nessus	Fedora Local Security Checks	medium
97428	Fedora 24 : webkitgtk4 (2017-b1abcbe695)	Nessus	Fedora Local Security Checks	medium
97222	Ubuntu 16.04 LTS / 16.10 : webkit2gtk vulnerabilities (USN-3200-1)	Nessus	Ubuntu Local Security Checks	medium
9929	Apple iOS < 10.2.1 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
96731	macOS 10.12.x < 10.12.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
96730	Apple iOS < 10.2.1 Multiple Vulnerabilities	Nessus	Mobile Devices	high

CVE-2017-2371

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins