Kenton Varda

**Name of the Vulnerable Software and Affected Versions** Sandstorm Cap'n Proto versions prior to 0.4.1.1 Sandstorm Cap'n Proto versions 0.5.x prior to 0.5.1.1 **Description** The issue is related to an integer underflow that could potentially allow remote peers to cause a denial of service or possibly obtain sensitive information from memory or execute arbitrary code via a crafted message. **Recommendations** For Sandstorm Cap'n Proto versions prior to 0.4.1.1, update to version 0.4.1.1 or later. For Sandstorm Cap'n Proto versions 0.5.x prior to 0.5.1.1, update to version 0.5.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Cap'n Proto versions prior to 0.5.3.1 **Description** The issue allows remote crashes due to a compiler optimization. A remote attacker can trigger a segfault in a 32-bit libcapnp application because Cap'n Proto relies on pointer arithmetic calculations that overflow. For example, the Apple LLVM version 8.1.0 (clang-802.0.41) compiler has optimization that elides a bounds check in such calculations. The attack vector is a crafted far pointer within a message. **Recommendations** For versions prior to 0.5.3.1, update to version 0.5.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the optimization in the compiler to prevent the elision of bounds checks until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8.3 Apple OS X versions prior to 10.10.3 Apple TV versions prior to 7.2 **Description** The issue is related to the TCP implementation in the kernel, specifically with the Urgent mechanism, also known as out-of-band data. This mechanism is used to send high-priority data. However, due to improper implementation, remote attackers can cause a denial of service by sending crafted packets. **Recommendations** For Apple iOS versions prior to 8.3, update to version 8.3 or later. For Apple OS X versions prior to 10.10.3, update to version 10.10.3 or later. For Apple TV versions prior to 7.2, update to version 7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.16.2 **Description** The issue allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms. This is achieved via a "mount -o remount" command within a user namespace, exploiting the fact that the do remount function in fs/namespace.c does not maintain the MNT LOCK READONLY bit across a remount of a bind mount. **Recommendations** For Linux kernel versions prior to 3.16.2, update to version 3.16.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the "mount -o remount" command within user namespaces to minimize the risk of exploitation.