-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2157
                              Apple TV 7.0.2
                             18 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apple TV
Publisher:        Apple
Operating System: Apple iOS
Impact/Access:    Root Compromise                 -- Remote with User Interaction
                  Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                  Denial of Service               -- Remote/Unauthenticated      
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-4462 CVE-2014-4461 CVE-2014-4455
                  CVE-2014-4452  

Reference:        ESB-2014.2155

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-11-17-3 Apple TV 7.0.2

Apple TV 7.0.2 is now available and addresses the following:

Apple TV
Available for:  Apple TV 3rd generation and later
Impact:  An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV
Available for:  Apple TV 3rd generation and later
Impact:  A local user may be able to execute unsigned code
Description:  A state management issue existed in the handling of
Mach-O executable files with overlapping segments. This issue was
addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : @PanguTeam

Apple TV
Available for:  Apple TV 3rd generation and later
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A validation issue existed in the handling of certain
metadata fields of IOSharedDataQueue objects. This issue was
addressed through relocation of the metadata.
CVE-ID
CVE-2014-4461 : @PanguTeam


Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".

To check the current version of software, select
"Settings -> General -> About".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUajX6AAoJEBcWfLTuOo7to84QAJgIkijuRWbjIumNWZ4tyS2b
v5e0/hdDD5un60trk7sX16TXFw0z9a25uytvjHOvgnleMdLXVMhAj3V6RtLFX+6u
kohV5SiKlGK6m47vVNDT89eYV6UTpSU2BuYPsng+7K8QRUXcVxRZNCSMlRFNeQxF
lcWR/74xr/tMu4kvZfzFaYFrZqTGudnmjGxtfygNSY+/eHCxDLCVU3VnUaGPpGmd
kPAX5QyLsOTfhWePnqpsHqt4l+xZVzI2LOzBNNEpQ0Qif6qLzt4zx1PR2RcKAuKg
qJNBuK08tV8Hne0Sms8SeH8EM92buiPLoTxqvGO9xB68zXtnclFMzA+Z6XQ2GOik
19OXYAfVetiO/mN4Hg+2gB7hZ0Tw6EznOeujcZK3vC3zH6RgqzjevgA5Fas6T9lw
rEWzwailhUs6EOOpolT1OHMIogTXSAxpmO+CyrTwIYCwMWQmPDQyJfqAs5RjUU9d
X0tZxnom20oVTp3U2AkzNUUaQbC0oZgydBjfoNM412dCzsh3rF8IvA/GnM0fLdlR
pcxFO0q+fbqMcM9tTcdEJ+blgvOfyM77y72YSl6PkwsylRwRpC0DY7XqgUyERKqX
qZU+luMsZCWA47Y1BjYtG95xGrpmkKtPSnr7V4dqnsKGMK+Uh5Xa7pKdEVzdM3nD
DHp/ayEiwY577KD9XDFw
=kqc5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVGqaDBLndAQH1ShLAQKYAA//W2XxgPCmkEFthse+0AeinltmX8RRzk86
CeMFm8bjTxs8jTGk2BXfAg5PqrSHMmXpLADnR2NyGcafsKddv7zDqxKaSGcyO0Ra
OvgZW0j4MbeeISq8vE+XjfHt3RFNSamOTaMmNmGQhIsS5UhoEgcgIZszT0GrGQ6l
QRmy7+9f2AFgSPvhKzu2Mv37AmNJxw2mDk9Ef3TurJLhqNFwwMvg2t9n4IZt+RA5
cEuuF1mhmWdB0MIoVzdtfq60NYxadgraczJ0ZPYM2eVUSUChHWxebJkIYEiGzBKl
kp7R251LQ90RxpTgBpJLccDlrWmsPK9PeaIHyAL7aCqczqLA26W5RCmv2bEkCVvV
ooKph6YVgSJPSDf28c43X0JO64BvCvdWldxtHWa6nt690S/phWjOMrIZZSL1stA3
4y0Zj4R28lZmn8ZTLgblw+8FH/PColRFgBMP6t0LOUcC7gX+6SQihEpKA1Y04zXi
1QuYKibalbnlxK09hsR+rgNk0eoKLppTvwNQvgulJ/xVrp0LJAFB0Pcz25xiZDLQ
iOltcBVLBamTwFfyu5/t4/AG916QmQxCB9yDy8IKu2+f09/j51QoE+nI5C58AwH9
omI3JQ1e7F8cfxYnXYJxV9mBfBgbt7j8RkqOxZO81MZK/HyMrk40PAt1NDP1Z0O/
iADRqbTfa6I=
=EFbD
-----END PGP SIGNATURE-----