Dirk-Willem Van Gulik

**Name of the Vulnerable Software and Affected Versions** GAEN (Google/Apple Exposure Notifications) protocol through 2020-09-29 **Description** The issue allows a user to be coerced into proving or disproving an exposure notification due to the persistent state of a private framework in COVID-19 applications on Android and iOS. **Recommendations** For GAEN protocol through 2020-09-29, consider restricting access to the private framework to minimize the risk of coercion or data leakage until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.7.4 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted X.509 certificate, due to libsecurity accessing uninitialized memory locations during certificate processing. **Recommendations** For versions prior to 10.7.4, update to version 10.7.4 or later to resolve the issue.