Sign up to save your podcasts
Or
Share Episode 103
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 103
Overview
This week we take a deep dive look at 2 recent vulnerabilities in the
popular application containerisation frameworks, snapd and flatpak, plus we
cover security updates for MiniDLNA, PHP-PEAR, the Linux kernel and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4720-2] Apport vulnerabilities [00:53]
[USN-4721-1] Flatpak vulnerability [01:06]
mount / user / etc namespaces - allows sandboxed applications to
communicate with the host via various portals - ie. open a file via a
file chooser portal (aka powerbox)
a new sandbox instance, following a NNP model (ie same or less privileges
as caller) (eg. used by sandboxed webbrowers to process untrusted content
inside less privileged subprocesses)
variables which would then get passed to the `flatpak run` command to
launch the new subprocess in its own sandbox - so fix is to sanitize
environment variables
[USN-4722-1] ReadyMedia (MiniDLNA) vulnerabilities [01:11]
encoding, this would exploit a signdness bug leading to a heap buffer
overflow
requests with a URL on a different network segment - could allow an
attacker to cause a miniDLNA server to DoS a different endpoint
[USN-4723-1] PEAR vulnerability [02:30]
overwrite via directory traversal - since PHP PEAR runs installer as
root, could then overwrite arbitrary files as root and priv esc / code
execution etc
[USN-4724-1] OpenLDAP vulnerabilities [03:14]
[USN-4725-1] QEMU vulnerabilities [03:20]
disclosure from host to guest or a crash of qemu host process etc
[USN-4717-2] Firefox regression [03:55]
[USN-4726-1] OpenJDK vulnerability [04:04]
buffering of characters” -> DoS or other unspecified impact
[USN-4713-2] Linux kernel vulnerability [04:22]
[USN-4727-1] Linux kernel vulnerability [04:36]
[USN-4728-1] snapd vulnerability [05:11]
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we take a deep dive look at 2 recent vulnerabilities in the
popular application containerisation frameworks, snapd and flatpak, plus we
cover security updates for MiniDLNA, PHP-PEAR, the Linux kernel and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4720-2] Apport vulnerabilities [00:53]
[USN-4721-1] Flatpak vulnerability [01:06]
mount / user / etc namespaces - allows sandboxed applications to
communicate with the host via various portals - ie. open a file via a
file chooser portal (aka powerbox)
a new sandbox instance, following a NNP model (ie same or less privileges
as caller) (eg. used by sandboxed webbrowers to process untrusted content
inside less privileged subprocesses)
variables which would then get passed to the `flatpak run` command to
launch the new subprocess in its own sandbox - so fix is to sanitize
environment variables
[USN-4722-1] ReadyMedia (MiniDLNA) vulnerabilities [01:11]
encoding, this would exploit a signdness bug leading to a heap buffer
overflow
requests with a URL on a different network segment - could allow an
attacker to cause a miniDLNA server to DoS a different endpoint
[USN-4723-1] PEAR vulnerability [02:30]
overwrite via directory traversal - since PHP PEAR runs installer as
root, could then overwrite arbitrary files as root and priv esc / code
execution etc
[USN-4724-1] OpenLDAP vulnerabilities [03:14]
[USN-4725-1] QEMU vulnerabilities [03:20]
disclosure from host to guest or a crash of qemu host process etc
[USN-4717-2] Firefox regression [03:55]
[USN-4726-1] OpenJDK vulnerability [04:04]
buffering of characters” -> DoS or other unspecified impact
[USN-4713-2] Linux kernel vulnerability [04:22]
[USN-4727-1] Linux kernel vulnerability [04:36]
[USN-4728-1] snapd vulnerability [05:11]
Get in contact