Sign up to save your podcasts
Or
Share Episode 113
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 113
Overview
With 21 CVEs fixed this week we look at updates for Dnsmasq, Firefox,
OpenJDK and more, plus we discuss the recent release of Ubuntu 21.04 and
malicious commits in the upstream Linux kernel.
This week in Ubuntu Security Updates
21 unique CVEs addressed
[USN-4916-2] Linux kernel regression [00:48]
the fix effectively introduced a new vuln but only a DoS not priv esc
[USN-4924-1] Dnsmasq vulnerabilities [01:17]
where for DNSSEC configurations could end up having dnsmasq prove the
non-existence of hostnames that actually exist - so again a DoS but not
in the traditional sense
[USN-4925-1] Shibboleth vulnerability [01:57]
generation would use attacker controlled inputs
[USN-4926-1] Firefox vulnerabilities [02:19]
an issue in FTP client where specially crafted FTP URL (ie one containing
newlines) could embed FTP commands and cause the client to execute
arbitrary FTP commands to the server
expected to be removed in a future release
[USN-4927-1] File Roller vulnerability [03:46]
traversal via symlink issue on extraction of archives
[USN-4892-1] OpenJDK vulnerability [04:15]
properly verify signatures on crafted JARs - could bypass security
restrictions if a JAR is signed with an algorithm that is disabled
[USN-4922-2] Ruby vulnerability [04:35]
[USN-4913-2] Underscore vulnerability [04:49]
untrusted input
Goings on in Ubuntu Security Community
Ubuntu 21.04 Hirsute Hippo Released [05:05]
providing improved protection against memory corruption vulns
Hypocrite commits and the upstream Linux kernel [07:38]
from University of Minnesota tweeted about the acceptance of their paper
to IEEE S&P 2021 - this showed the first page of the paper and seemed to
indicate that for the purposes of academic research a number of malicious
commits (ie commits that when added to the kernel would create a
vulnerability) had been introduced into the upstream kernel.
etc regarding both the ethics of effectively experimenting on subjects
without their consent and the concept of purposely introducing vulns just
for the sake of research purposes
fix the vulns and so none actually would have made it to end users so
they thought it was effectively done
just demonstrating something that most folks in OSS always knew was a
potential reality - that once a contributor to a project builds a certain
level of trust it would be relatively easy to introduce vulns like this
in a stealthy manner and that the best defence would be better automated
review tooling (static/dynamic analysis via CI etc) rather than trying to
rely on human reviewers to detect
full and it was revealed that 3 malicious commits were potentially
integrated into the upstream kernel - actually only 1 was ACKed and then
this was rejected and the other 2 were rejected outright. Recently,
GregKH weighed in and effectively blacklisted all contributions from UMN
and proposed to revert all commits that had come from umn.edu authors
review by various developers to decide which should NOT be reverted as
lots of them did actually fix legitimate issues
reverted as a result
this can be abused in either direction - tempting to jump to technical
solutions (ie better static analysis/CI etc) but this will never be
foolproof - also need the ability to move fast so can get say reverts
done and delivered to users, and also to build good relationships BUT in
the end need to still be wary - “trust but verify” - both on a technical
basis and also on a personal basis so we can better understand the
provenance of code etc
Hiring [14:36]
AppArmor Security Engineer
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
With 21 CVEs fixed this week we look at updates for Dnsmasq, Firefox,
OpenJDK and more, plus we discuss the recent release of Ubuntu 21.04 and
malicious commits in the upstream Linux kernel.
This week in Ubuntu Security Updates
21 unique CVEs addressed
[USN-4916-2] Linux kernel regression [00:48]
the fix effectively introduced a new vuln but only a DoS not priv esc
[USN-4924-1] Dnsmasq vulnerabilities [01:17]
where for DNSSEC configurations could end up having dnsmasq prove the
non-existence of hostnames that actually exist - so again a DoS but not
in the traditional sense
[USN-4925-1] Shibboleth vulnerability [01:57]
generation would use attacker controlled inputs
[USN-4926-1] Firefox vulnerabilities [02:19]
an issue in FTP client where specially crafted FTP URL (ie one containing
newlines) could embed FTP commands and cause the client to execute
arbitrary FTP commands to the server
expected to be removed in a future release
[USN-4927-1] File Roller vulnerability [03:46]
traversal via symlink issue on extraction of archives
[USN-4892-1] OpenJDK vulnerability [04:15]
properly verify signatures on crafted JARs - could bypass security
restrictions if a JAR is signed with an algorithm that is disabled
[USN-4922-2] Ruby vulnerability [04:35]
[USN-4913-2] Underscore vulnerability [04:49]
untrusted input
Goings on in Ubuntu Security Community
Ubuntu 21.04 Hirsute Hippo Released [05:05]
providing improved protection against memory corruption vulns
Hypocrite commits and the upstream Linux kernel [07:38]
from University of Minnesota tweeted about the acceptance of their paper
to IEEE S&P 2021 - this showed the first page of the paper and seemed to
indicate that for the purposes of academic research a number of malicious
commits (ie commits that when added to the kernel would create a
vulnerability) had been introduced into the upstream kernel.
etc regarding both the ethics of effectively experimenting on subjects
without their consent and the concept of purposely introducing vulns just
for the sake of research purposes
fix the vulns and so none actually would have made it to end users so
they thought it was effectively done
just demonstrating something that most folks in OSS always knew was a
potential reality - that once a contributor to a project builds a certain
level of trust it would be relatively easy to introduce vulns like this
in a stealthy manner and that the best defence would be better automated
review tooling (static/dynamic analysis via CI etc) rather than trying to
rely on human reviewers to detect
full and it was revealed that 3 malicious commits were potentially
integrated into the upstream kernel - actually only 1 was ACKed and then
this was rejected and the other 2 were rejected outright. Recently,
GregKH weighed in and effectively blacklisted all contributions from UMN
and proposed to revert all commits that had come from umn.edu authors
review by various developers to decide which should NOT be reverted as
lots of them did actually fix legitimate issues
reverted as a result
this can be abused in either direction - tempting to jump to technical
solutions (ie better static analysis/CI etc) but this will never be
foolproof - also need the ability to move fast so can get say reverts
done and delivered to users, and also to build good relationships BUT in
the end need to still be wary - “trust but verify” - both on a technical
basis and also on a personal basis so we can better understand the
provenance of code etc
Hiring [14:36]
AppArmor Security Engineer
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact