OpenSSL 1.0.1u, 1.0.2i, 1.1.0a released
FYI...
OpenSSL 1.0.1u, 1.0.2i, 1.1.0a released
- https://www.openssl.org/news/secadv/20160922.txt
22 Sep 2016 - "Severity: High ...
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u ..."
- https://www.openssl.org/news/secadv/20160926.txt
26 Sep 2016 - "Severity: Critical
OpenSSL 1.1.0 users should upgrade to 1.1.0b ...
OpenSSL 1.0.2i users should upgrade to 1.0.2j ..."
> https://isc.sans.edu/diary.html?storyid=21509
2016-09-22 - "OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).
The update fixes -14- different vulnerabilities... With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported..."
(See chart @ the isc URL above.)
___
- http://www.securitytracker.com/id/1036878
CVE Reference: CVE-2016-6304
Sep 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.0.1, 1.0.2, 1.1.0...
Impact: A remote authenticated user can consume excessive memory resources on the target system.
Solution: The vendor has issued a fix (1.0.1u, 1.0.2i, 1.1.0a)...
- http://www.securitytracker.com/id/1036879
CVE Reference: CVE-2016-6305
Sep 22 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 1.1.0...
Impact: A remote authenticated user can cause the target service to hang.
Solution: The vendor has issued a fix (1.1.0a)...
- http://www.securitytracker.com/id/1036885
CVE Reference: CVE-2016-6302, CVE-2016-6303, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052
Updated: Sep 26 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can cause the target service or application to crash.
Solution: The vendor has issued a fix (1.0.1u, 1.0.2i, 1.1.0a).
[Editor's note: On September 26, 2016, the vendor reported that two of the fixed versions contain vulnerabilities. Version 1.1.0a is affected by a use-after-free memory error (CVE-2016-6309), reported by Robert Swiecki (Google Security Team). Version 1.0.2i is affected by a CRL processing null pointer exception (CVE-2016-7052), reported by Bruce Stephens and Thomas Jakobi. The revised fixes are versions 1.1.0b and 1.0.2j.]
___
- https://www.us-cert.gov/ncas/current...curity-Updates
Last revised: Sep 26, 2016
:fear::fear:
Thunderbird 45.4.0 released
FYI...
Thunderbird 45.4.0 released
- https://www.mozilla.org/en-US/thunde.../releasenotes/
Oct 3, 2016
What’s New:
Fixed:
- Display name was truncated if no separating space before email address.
- Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
- Additional spaces were inserted when drafts were edited.
- Mail saved as template copied In-Reply-To and References from original email.
- Threading broken when editing message draft, due to loss of Message-ID
- "Apply columns to..." did not honor special folders
... 12 bugs fixed.
Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
- https://www.mozilla.org/en-US/thunderbird/releases/
Download
- https://www.mozilla.org/en-US/thunderbird/all/
Add-ons
- https://addons.mozilla.org/en-US/thunderbird/
:fear:
Apple security updates - 2016.10.24
FYI...
- https://support.apple.com/en-us/HT201222
iOS 10.1
- https://support.apple.com/en-us/HT207271
Oct 24, 2016 - "Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later..."
- http://www.securitytracker.com/id/1037088
CVE Reference: CVE-2016-4664, CVE-2016-4665, CVE-2016-4680, CVE-2016-4686
Oct 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: An application user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.1)...
Safari 10.0.1
- https://support.apple.com/en-us/HT207272
Oct 24, 2016 - "Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12..."
- http://www.securitytracker.com/id/1037087
CVE Reference: CVE-2016-4666, CVE-2016-4676, CVE-2016-4677
Oct 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.0.1...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.0.1)...
macOS Sierra 10.12.1
- https://support.apple.com/en-us/HT207275
Oct 24, 2016 - "Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6..."
- http://www.securitytracker.com/id/1037086
CVE Reference: CVE-2016-4635, CVE-2016-4660, CVE-2016-4661, CVE-2016-4662, CVE-2016-4663, CVE-2016-4667, CVE-2016-4669, CVE-2016-4671, CVE-2016-4673, CVE-2016-4674, CVE-2016-4675, CVE-2016-4678, CVE-2016-4679, CVE-2016-4682, CVE-2016-7579
Oct 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.12.1 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can cause denial of service conditions on the target system.
A remote user can modify files on the target system.
A local user can obtain root privileges on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.12.1)...
tvOS 10.0.1
- https://support.apple.com/en-us/HT207270
Oct 24, 2016 - "Available for: Apple TV (4th generation)..."
watchOS 3.1
- https://support.apple.com/en-us/HT207269
Oct 24, 2016 - "Available for: All Apple Watch models..."
:fear:
Adblock Plus 2.8 for Firefox
FYI...
Adblock Plus 2.8 for Firefox released
- https://adblockplus.org/releases/adb...refox-released
2016-10-25
Install Adblock Plus 2.8 for Firefox
This release changes the way element hiding works in Firefox, so that noticeable delays from changing a single element hiding rule should be no more. Also, the behavior should be more consistent now and filters not applying on a particular website should no longer be able to cause unexpected side-effects. On the downside, changes to element hiding rules will only apply after a page is reloaded now (which is actually consistent with blocking rules).
Additional changes:
- There is a special $websocket type option now to block WebSocket requests, the type was previously considered to be other here (announcement*).
* https://adblockplus.org/development-...for-websockets
- Our toolbar icon will look better on high-resolution screens (issue 4142).
- Removed feature selection from the first-run page until the features can be removed similarly easily (issue 4294).
- Hits for CSS property filters which were introduced in the previous release are being counted now (issue 3969).
- Fixed: CSS property filters applied even when Adblock Plus was disabled everywhere (issue 4201).
- Fixed: A regression in pop-up blocking functionality caused websites to be mistakenly considered pop-ups under some circumstances (issue 4335).
- Corrected handling of frames with srcdoc attribute.
- Fixed and improved search functionality in Filter Preferences, was partially broken in Firefox nightly builds (issue 4510)...
:fear:
Adblock Plus 2.8.1 for Firefox released
FYI...
Adblock Plus 2.8.1 for Firefox released
- https://adblockplus.org/releases/adb...refox-released
2016-10-28 - "Our Adblock Plus 2.8 release introduced a -regression- that went unnoticed for months in the development builds. Users who activated the please_kill_startup_performance preference were experiencing data loss: filters didn’t load completely. Also, importing custom filters was failing for large files. Both issues have the same root cause (issue 4576) and have been resolved in Adblock Plus 2.8.1. If your data is still incomplete after updating to Adblock Plus 2.8.1 please click the “Backup and Restore” button in Filter Preferences — one of the automatically created backups is certain to be correct."
:fear::fear::fear:
Apple updates - 2016.10.27-31
FYI...
- https://support.apple.com/en-us/HT201222
iOS 10.1.1
- https://support.apple.com/en-us/HT207287
Oct 31, 2016 - "iOS 10.1.1 includes the security content of iOS 10.1*."
iOS 10.1
* https://support.apple.com/en-us/HT207271
Oct 24, 2016
> http://www.macrumors.com/2016/10/31/...es-ios-10-1-1/
Oct 31, 2016 - "...Today's update fixes bugs including an issue where Health data could not be viewed for some users. iOS 10.1.1 can be downloaded as a free over-the-air update on all iPhone, iPad, and iPod touch models compatible with iOS 10...
Update: Apple has subsequently stopped signing iOS 10.0.2 and iOS 10.0.3, meaning that users can no longer downgrade to those software versions."
- http://appleinsider.com/articles/16/...-in-health-app
Oct 31, 2016
___
iTunes 12.5.2 for Windows
- https://support.apple.com/en-us/HT207274
Oct 27, 2016 - "Available for: Windows 7 and later..."
- http://www.securitytracker.com/id/1037139
CVE Reference: CVE-2016-4613, CVE-2016-7578
Oct 28 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 12.5.2 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (12.5.2; for Windows)...
___
iCloud for Windows 6.0.1
- https://support.apple.com/en-us/HT207273
Oct 27, 2016 - "Available for: Windows 7 and later..."
___
Xcode 8.1
- https://support.apple.com/en-us/HT207268
Oct 27, 2016 - "Available for: OS X El Capitan v10.11.5 and later..."
:fear::fear::fear:
Thunderbird 45.5.0 released
FYI...
Thunderbird 45.5.0 released
- https://www.mozilla.org/en-US/thunde.../releasenotes/
Nov 18, 2016
What’s New:
Changed: IMPORTANT: Changed recipient address entry: Arrow-keys now copy the pop-up value to the input field. Mouse-hovered pop-up value can no longer be confirmed with tab or enter key. This restores the behavior of Thunderbird 24.
Changed: Support changes to character limit in Twitter
Fixed:
- Reply with selected text containing quote resulted in wrong quoting level indication
- Mail address display at header pane displayed incorrectly if the address contains UTF-8 according to RFC 6532
- Attempting to sort messages on the Date field whilst a quick filter is applied got stuck on sort descending
- Email invitation might not be displayed when description contains non-ASCII characters
Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
- https://www.mozilla.org/en-US/thunderbird/releases/
Download
- https://www.mozilla.org/en-US/thunderbird/all/
Add-ons
- https://addons.mozilla.org/en-US/thunderbird/
:fear:
Adblock Plus 2.8.2 for Firefox released
FYI...
Adblock Plus 2.8.2 for Firefox released
- https://adblockplus.org/releases/adb...refox-released
2016-11-22
Install Adblock Plus 2.8.2 for Firefox
... This is a maintenance release, most importantly introducing some improvements to CSS property filters.
Additional changes:
- Made sure that element hiding rules don’t affect browser’s and extensions’ special pages, this regressed with Adblock Plus 2.8 (issue 4624, issue 4625).
- Fixed blockable items list slowing down page loading (issue 4587).
- Pop-ups using data: URLs and similar unusual schemes can be blocked now (issue 4368).
- When selecting keyboard shortcuts, more shortcut keys already in use by the browser can be recognized. This will change the shortcut key to show Blockable items list from Ctrl/Cmd-Shift-V to Ctrl/Cmd-Shift-U for pretty much everybody (issue 4544).
:fear::fear:
Network Time Protocol update
FYI...
Network Time Protocol update
- https://www.us-cert.gov/ncas/current...ol-Daemon-ntpd
Nov 21, 2016 - "The Network Time Foundation's NTP Project has released version ntp-4.2.8p9 to address multiple vulnerabilities in ntpd. Exploitation of some of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition.
US-CERT encourages users and administrators to review Vulnerability Note VU#633847* and the NTP Security Notice Page** for vulnerability and mitigation details."
* http://www.kb.cert.org/vuls/id/633847
** http://nwtime.org/ntp428p9_release/
___
- http://www.securitytracker.com/id/1037354
CVE Reference: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, CVE-2016-9312
Nov 29 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.2.8p9 ...
Impact: A remote user can cause the target service to crash.
A remote user can obtain potentially sensitive information from the target system.
A remote user can conduct denial of service amplification attacks against other targets.
Solution: The vendor has issued a fix (4.2.8p9)...
Vendor URL: http://support.ntp.org/bin/view/Main...4_2_8p9_NTP_Se
:fear::fear:
Thunderbird 45.5.1 released
FYI...
Thunderbird 45.5.1 released
- https://www.mozilla.org/en-US/thunde.../releasenotes/
Nov 30, 2016
- https://www.mozilla.org/en-US/securi...nderbird45.5.1
- https://www.mozilla.org/en-US/securi...s/mfsa2016-92/
Fixed in:
Thunderbird 45.5.1
CVE-2016-9079: Use-after-free in SVG Animation
Critical
Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
- https://www.mozilla.org/en-US/thunderbird/releases/
Download
- https://www.mozilla.org/en-US/thunderbird/all/
Add-ons
- https://addons.mozilla.org/en-US/thunderbird/
___
- http://www.securitytracker.com/id/1037371
CVE Reference: CVE-2016-9079
Dec 1 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): prior to 45.5.1
Impact: A remote user can create JavaScript content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: Mozilla.org has issued a fix for Mozilla Thunderbird (45.5.1)...
___
- https://www.us-cert.gov/ncas/current...curity-Updates
Nov 30, 2016
:fear::fear: