iOS 16.1.1 includes fixes for two libxml vulnerabilities(support.apple.com)
support.apple.com
iOS 16.1.1 includes fixes for two libxml vulnerabilities
https://support.apple.com/en-us/HT213505
31 comments
More details in the original bug reports which I made public yesterday:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/381
https://gitlab.gnome.org/GNOME/libxml2/-/issues/401
https://gitlab.gnome.org/GNOME/libxml2/-/issues/381
https://gitlab.gnome.org/GNOME/libxml2/-/issues/401
slay!
really great darknet interview too!!! thanks for your amazing work
really great darknet interview too!!! thanks for your amazing work
No love for devices stuck on ios 15? Yes, it's technically out of support, but less than two weeks ago apple released 15.7.1 which is a security patch.
Also missing are macOS Monterey and Big Sur: https://support.apple.com/en-us/HT201222
Should still be supported for security updates, maybe it'll be released in a couple of days.
Apple doesn’t patch older versions: https://arstechnica.com/gadgets/2022/10/apple-clarifies-secu...
That’s not what that says. Apple does not commit to updating older versions for EVERYTHING. That does not mean they don’t patch them at all - here’s the official verbiage:
“Upgrades are released much less frequently than updates, and can take a while to install because of their large size. Also, older devices may not be eligible for upgrades because they don’t have the space or power to support the new software.
Note: Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13), not all known security issues are addressed in previous versions (for example, macOS 12).”
This matches what we’ve seen before where many updates come out for older versions but they’re not making Red Hat-style efforts to back port patches for ages rather then pushing people to make major upgrades.
“Upgrades are released much less frequently than updates, and can take a while to install because of their large size. Also, older devices may not be eligible for upgrades because they don’t have the space or power to support the new software.
Note: Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13), not all known security issues are addressed in previous versions (for example, macOS 12).”
This matches what we’ve seen before where many updates come out for older versions but they’re not making Red Hat-style efforts to back port patches for ages rather then pushing people to make major upgrades.
They are still maintaining iOS 12...
https://support.apple.com/en-us/HT213428
https://support.apple.com/en-us/HT213428
Published Date: August 31, 2022IIRC iOS 12 is a special case for a specific device set.
Do you have any details on why this is the case, thats super interesting.
A bunch of devices lost support with iOS 13. I don't remember offhand but a quick search shows that the iPod Touch 6th Gen was discontinued the latest of the iOS 12 supported devices. It was sold through mid 2019. So I think that's why.
Same thing happened with iOS 16 and Ventura
One would have to do a careful analysis whether iOS 12.x really gets all the security love it requires. Last time I checked (probably 1-2 years ago) the iPhone 5s (a backup smartphone I used) missed security updates.
they release some security updates for older phones and oses
they probably do it in a best effort basis and some fixes are skipped when it's too much work to backport.
they probably do it in a best effort basis and some fixes are skipped when it's too much work to backport.
Is ios 15 vulnerable? I assume it is, but I can't find a good answer.
Yes, iOS 15 is vulnerable to these and probably others.
Everything is probably vulnerable to other vulnerabilities...
Thank you, Apple friends! You’ve made the world a better place, and I salute your subtle bug-fixing acumen. These can’t have been easy to find, and you have my completely unironic gratitude.
(I know this sounds extremely corny, but someone should say it.)
(I know this sounds extremely corny, but someone should say it.)
Why are core iOS libraries susceptible to integer overflow vulnerabilities?
This seems like a more important issue to address than simply fixing this one instance where it was found.
This seems like a more important issue to address than simply fixing this one instance where it was found.
Because it's just like any other open-source library written in an unsafe language.
Correction: Because it's just like any other library written in an unsafe language.
With how much money Apple has and how much they promote security. It's quite shocking how we see a major preventable vulnerability come out pretty much every single month.
Some credit to them for fixing these things and rolling out the fixes quickly, but at some point we have to question why iOS needs urgent security patches constantly. And you know that all the large governments have troves of these iOS bugs sitting unreported.
Some credit to them for fixing these things and rolling out the fixes quickly, but at some point we have to question why iOS needs urgent security patches constantly. And you know that all the large governments have troves of these iOS bugs sitting unreported.
I note that Debian fixed these a few days earlier. Based on the commits/issues up-thread it sounds like these were embargoed for a while, so I wonder why the difference in release dates between Debian and Apple.
https://www.debian.org/security/2022/dsa-5271
https://www.debian.org/security/2022/dsa-5271
Seems odd that the macOS update for libxml is 600MB and requires a reboot, not to mention that it requires a reboot on macOS ace Ventura - which was toted as not needing reboots for most security updates.
CVE-2022-40304: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433...