-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1867
                   Safari 13.1.1 includes security fixes
                                27 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Safari
Publisher:         Apple
Operating System:  Mac OS
Platform:          PowerPCt
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9850 CVE-2020-9843 CVE-2020-9807
                   CVE-2020-9806 CVE-2020-9805 CVE-2020-9803
                   CVE-2020-9802 CVE-2020-9801 CVE-2020-9800
                   CVE-2019-20503  

Reference:         ESB-2020.1861
                   ESB-2020.1855
                   ESB-2020.0868
                   ESB-2020.0866

Original Bulletin: 
   https://support.apple.com/en-au/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-05-26-7 Safari 13.1.1

Safari 13.1.1 is now available and addresses the following:

Safari
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A malicious process may cause Safari to launch an application
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9801: @jinmo123, @setuid0x0_, and @insu_yun_en of
@SSLab_Gatech working with Trend Microâ\x{128}\x{153}s Zero Day Initiative

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9802: Samuel GroÃ\x{159} of Google Project Zero

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9805: an anonymous researcher

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro
Zero Day Initiative

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9806: Wen Xu of SSLab at Georgia Tech
CVE-2020-9807: Wen Xu of SSLab at Georgia Tech

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9850: @jinmo123, @setuid0x0_, and @insu_yun_en of
@SSLab_Gatech working with Trend Microâ\x{128}\x{153}s Zero Day Initiative

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9843: Ryan Pickren (ryanpickren.com)

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2020-9803: Wen Xu of SSLab at Georgia Tech

WebRTC
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An access issue was addressed with improved memory
management.
CVE-2019-20503: Natalie Silvanovich of Google Project Zero

Additional recognition

WebKit
We would like to acknowledge Aidan Dunlap of UT Austin for their
assistance.

Installation note:

Safari 13.1.1 may be obtained from the Mac App Store.
- -----BEGIN PGP SIGNATURE-----
Version: BCPG v1.64

iQIcBAEDCAAGBQJezV7rAAoJEAc+Lhnt8tDNAB4P/ii6fKM9mmFamwvDreABeVd7
u32JJjalk28WkDgudvnqa9cY/mzHtUwYODyrCaL3kjPisKiD7rRabVOWk8/rD6wi
m6c8uk+g7of77qJ5m5y5g+TJdtYLxGItzJO5m9v+CqGrfX3hyCuIjnhsHrGWeqYF
oYH4Xlkrw4Piy+Tw6jN5nBnR1I+d0C/h95SxOUIHae9HEjPmggF5QOfxMqzGNXWx
MVO0jWoQL2Z4OzxMvmbNSQ5rkKeJNheedBdMuOMnh03o9wuyjgZV3aPEOMxVgE3g
ZcCNIc1xjnGDiwhLab4/jqj7Py/EdpT04RADxymEgKpktLCIbSRi7skUkOvF7+zN
IR8aVq5j4DXyJkadho4vjBhnkj0wCckyhsTw7kQ5ZGLqruFuB09ZwNHKhl9OcnXc
TuamaVUn/ADC28NU2Fkf+/RaeYSvHSbvrDeDR0PDyCx5rLJwide/2UxNEZL4H8KD
2oIEr/I7BVeHcP8D0YYs3INtqJ3Yz0+P06bTvWh46bRw8uPkizcRS5IbpC+Sd5dh
jd4efVe4ltTAQeDc91iSUnKy1vYpl/iOagHtO0CntnA/Fl44WEMR5NJDCQmQvA0i
L8UWLAuJTZ1EngIlWv7ueqyhSp5qayX0PVQjAEpLxhgxmQXMmb9A83YMJYt7ORdk
b2R6ImCxrVcNhr0o2lWK
=MjL1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXs3qJeNLKJtyKPYoAQhCbA//VgJ4B22fZIIcGAyxosIdfaA++UMh0rIe
xSCY+UDlfPVssie8p0ynR8S8L2BJSetw/YMQbOWf3rbfTCZn03fKRkGX5TpT4MBU
g0gNifzq+NYGoPnSk8XirziEJUHcgxMVd5zwVG0WUHiIm9WJdS7ak1tN753VrRQT
YnJ4kUSNkBrih38x9qQUBA594ws9ej4huW65lM52Zphuw0ueIOiwjtL6DqVixw2c
lQXy7py+6vVP815SkX1dPERGap+Lq+EIvvM/kI6W32oZasbqU0Vd3zxxuKQJ6oeE
ntCHWcq+pdkbroqIUq/JW+4kqr9cCYoYlt2TtSkMhTeYEhEPcqRJReMFFGuDZTbu
0uR1KQZIEYeCMySSvVWldWt3z6TYL3u7LlHz73lR7FoqgiepeCeisqXKLy/96RR/
9kolfZoGtUe0KsXJz/r6cJGyonDuCWzb0ql7m2RCbcazA9WtCjK3Ta3ERhgPkn1z
dfD6fyEgIPfWcvP2ZLFB+rQDxNuVoCnN/Oqied0gRMBHVnVzEItXuZWAX9bZiz+b
TZoWZYP4Bh5Lxt0UQshovwEJMWRaQhahAPJJMt0sJAZAobQOI0kBdmQDXaVOfdGQ
XnO6ol6RUbyY5HVRuWbz4wufKfeCPzyVXJLREhY6CupJAHZwmubE/aknU4s+K8pq
5SL3cTqbbAI=
=+GX8
-----END PGP SIGNATURE-----