"Date: Wed, 03 Dec 2014 13:55:42 -0800
From: Apple Product Security
To: security-announce@lists.apple.com
Subject: APPLE-SA-2014-12-2-1 Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1
X-Mailer: Apple Mail (2.1993)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2014-12-3-1 Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1
Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1 is now available and
addresses the following:
WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10.1
Impact: Style sheets are loaded cross-origin which may allow for
data exfiltration
Description: An SVG loaded in an img element could load a CSS file
cross-origin. This issue was addressed through enhanced blocking of
external CSS references in SVGs.
CVE-ID
CVE-2014-4465 : Rennie deGraaf of iSEC Partners
WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10.1
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: A UI spoofing issue existed in the handling of
scrollbar boundaries. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1748 : Jordan Milne
WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4459
CVE-2014-4466 : Apple
CVE-2014-4468 : Apple
CVE-2014-4469 : Apple
CVE-2014-4470 : Apple
CVE-2014-4471 : Apple
CVE-2014-4472 : Apple
CVE-2014-4473 : Apple
CVE-2014-4474 : Apple
CVE-2014-4475 : Apple
..."
»
support.apple.com/kb/HT1222 will have the details on them.