Xiaofeng Zheng

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 9.3.3 tvOS versions prior to 9.2.2 OS X El Capitan versions prior to 10.11.6 and Security Update 2016-004 **Description** A validation issue existed in the parsing of 407 responses, which was addressed through improved response validation. **Recommendations** For iOS versions prior to 9.3.3, update to version 9.3.3 or later. For tvOS versions prior to 9.2.2, update to version 9.2.2 or later. For OS X El Capitan versions prior to 10.11.6 and Security Update 2016-004, update to version 10.11.6 and apply Security Update 2016-004.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.1 Apple OS X versions prior to 10.11.1 **Description** The issue arises from the improper consideration of uppercase-versus-lowercase distinction during cookie parsing in CFNetwork. This allows remote web servers to overwrite cookies. **Recommendations** For Apple iOS versions prior to 9.1, update to version 9.1 or later. For Apple OS X versions prior to 10.11.1, update to version 10.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9 **Description** The issue arises from the CFNetwork Proxies component's improper handling of a Set-Cookie header within a response to an HTTP CONNECT request. This allows remote proxy servers to conduct cookie-injection attacks via a crafted response. The vulnerability can be exploited by a remote attacker to inject cookies using a specially formed request. **Recommendations** For Apple iOS versions prior to 9, update to a version 9 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted proxy servers to minimize the risk of exploitation. Avoid using the `Set-Cookie` header in responses to HTTP CONNECT requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9 **Description** The issue is related to the CFNetwork HTTPProtocol component, which allows remote attackers to bypass the HSTS protection mechanism. This can be achieved via a crafted URL, potentially leading to the exposure of sensitive information. **Recommendations** For versions prior to 9, update to iOS version 9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9 **Description** The issue is related to the CFNetwork Cookies component, which allows remote attackers to track users. This is due to a lack of protection for service data, enabling a remote attacker to exploit the issue and track users. **Recommendations** For versions prior to 9, update to iOS version 9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.8 phpMyAdmin versions 4.2.x through 4.2.13.1 phpMyAdmin versions 4.3.x through 4.3.11.0 **Description** The issue allows remote attackers to conduct a BREACH attack and determine the CSRF token via a series of crafted requests. This is due to invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.8, update to version 4.0.10.9 or later. For phpMyAdmin versions 4.2.x through 4.2.13.1, update to version 4.2.13.2 or later. For phpMyAdmin versions 4.3.x through 4.3.11.0, update to version 4.3.11.1 or later.