May 21, 2021

Episode 116

15 minutes

Overview

With 60 CVEs fixed across MySQL, Django, Please and the Linux kernel this

week we take a look at some of these details, plus look at the recent

announcement of 1Password for Linux and some open positions on the team

too.

This week in Ubuntu Security Updates

60 unique CVEs addressed

[USN-4952-1] MySQL vulnerabilities [00:58]

33 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-2308

CVE-2021-2307

CVE-2021-2305

CVE-2021-2304

CVE-2021-2301

CVE-2021-2300

CVE-2021-2299

CVE-2021-2298

CVE-2021-2293

CVE-2021-2278

CVE-2021-2232

CVE-2021-2230

CVE-2021-2226

CVE-2021-2217

CVE-2021-2215

CVE-2021-2212

CVE-2021-2208

CVE-2021-2203

CVE-2021-2201

CVE-2021-2196

CVE-2021-2194

CVE-2021-2193

CVE-2021-2180

CVE-2021-2179

CVE-2021-2172

CVE-2021-2171

CVE-2021-2170

CVE-2021-2169

CVE-2021-2166

CVE-2021-2164

CVE-2021-2162

CVE-2021-2154

CVE-2021-2146

Latest upstream point releases - includes both security and bug fixes and

possibly incompatible changes etc

MySQL has been updated to 8.0.25 in Ubuntu 20.04 LTS, Ubuntu 20.10, and

Ubuntu 21.04. Ubuntu 18.04 LTS has been updated to MySQL 5.7.34.

[USN-4932-2] Django vulnerability [01:37]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2021-31542

Episode 114 - directory traversal via file upload

[USN-4953-1] AWStats vulnerabilities [01:56]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2017-1000501

CVE-2020-35176

CVE-2020-29600

A-W-Stats - Advanced Web Statistics - log analyzer etc

Incomplete fix for old CVE-2017-1000501 - this itself was incomplete

too - hence CVE-2020-35176

Could be used to read an arbitrary file on the webserver via the config

parameter - and this could allow code execution as this was not

sanitised properly

[USN-4954-1] GNU C Library vulnerabilities [03:00]

2 CVEs addressed in Xenial (16.04 LTS)

CVE-2009-5155

CVE-2020-6096

ARMv7 specific issue - memcpy() undefined behaviour if a negative length

were specified

DoS (assertion failure + abort) via crafted regex - so should not be

passing untrusted regular expressions to posix regex implementation

[USN-4628-3] Intel Microcode vulnerabilities [04:08]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2020-8698

CVE-2020-8696

CVE-2020-8695

Episode 96 - RAPL side-channel etc - corresponding update for some Xeon

processors

[USN-4955-1] Please vulnerabilities [04:44]

3 CVEs addressed in Hirsute (21.04)

CVE-2021-31155

CVE-2021-31154

CVE-2021-31153

sudo replacement written in rust

Code analysis by Matthias Gerstner @ SuSE -

arbitrary file existence test and open (eg could open /dev/zero and

consume memory -> OOM)

unsafe permissions for token directory - create world-writable - can

allow an unprivileged user to get root privileges quite easily by

creating their own token as though they had authenticated

pleaseedit uses predictable paths in /tmp - without symlink protections

could allow a user to change ownership of arbitrary files as it would

follow symlinks

rust is not a panacea - not all vulnerabilities are memory corruption and

writing setuid root binaries is always going to be challenging

[LSN-0077-1] Linux kernel vulnerability [07:04]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3492

shiftfs specific vuln reported via ZDI (found by Vincent Dehors) - Ubuntu

carry this as an out-of-tree patch so doesn’t affect upstream kernel

(used by LXD etc for UID mapping in containers)

Failed to handle faults in copy_from_user() -> double-free or possible

memory leak -> code execution/DoS

[USN-4956-1] Eventlet vulnerability [08:05]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-21419

Python eventlet (concurrent networking library)

Used by a lot of other packages including openstack etc

websocket peer could DoS via memory exhaustion by sending very large

websocket frames

[USN-4957-1, USN-4957-2] DjVuLibre vulnerabilities [08:31]

5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3500

CVE-2021-32493

CVE-2021-32492

CVE-2021-32491

CVE-2021-32490

document format alternative to pdf - for storing scanned documents etc

c++ - memory corruption vulns

heap buffer overflow

oob write

stack buffer overflow

oob read

integer overflow

DoS/RCE

[USN-4958-1] Caribou vulnerability [09:27]

Affecting Focal (20.04 LTS), Groovy (20.10)

Caribou on-screen keyboard could crash if given crafted input - in some

cases, this would then cause the screensaver to crash -> unauthenticated

access to a desktop session

Thanks to Fabio Fantoni and Joshua Peisach (itzswirlz) from the Ubuntu

community for preparing these updates

[USN-4959-1] GStreamer Base Plugins vulnerability [10:11]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3522

OOB read on crafted input since failed to properly check size -> DoS

[USN-4945-2] Linux kernel (Raspberry Pi) vulnerabilities [10:18]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29265

CVE-2021-28660

CVE-2021-28375

CVE-2021-28038

CVE-2020-25639

Episode 115 - regular kernels for Ubuntu 20.04 / 18.04 LTS

Update also for the raspi specific kernel build

Goings on in Ubuntu Security Community

1Password for Linux officially released [10:43]

Episode 86 (August 2020) - beta was announced

Now officially released, includes integration with browser extension to

stay unlocked across both, use of regular desktop authentication to

unlock as well - e.g. fingerprint / yubikey etc - both opt-in features.

Great desktop integration, theme, clipboard, GNOME Keyring / KDE Wallet,

kernel keyring, DBUS API, integration with system lock / idle etc

Feature parity with Windows and MacOS clients PLUS extra features like

Secure file attachment, Watchtower, item archiving / deletion, quick find

and more

Uses kernel keyring to store the key used to establish the connection

between the browser and the desktop client

Backend and lots of underlying libs written in Rust - UI is React

Native packages for Ubuntu (Debian. CentOS, Fedora, RHEL)

Snap

Hiring [13:56]

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

May 21, 2021

Episode 116

15 minutes

Overview

With 60 CVEs fixed across MySQL, Django, Please and the Linux kernel this

week we take a look at some of these details, plus look at the recent

announcement of 1Password for Linux and some open positions on the team

too.

This week in Ubuntu Security Updates

60 unique CVEs addressed

[USN-4952-1] MySQL vulnerabilities [00:58]

33 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-2308

CVE-2021-2307

CVE-2021-2305

CVE-2021-2304

CVE-2021-2301

CVE-2021-2300

CVE-2021-2299

CVE-2021-2298

CVE-2021-2293

CVE-2021-2278

CVE-2021-2232

CVE-2021-2230

CVE-2021-2226

CVE-2021-2217

CVE-2021-2215

CVE-2021-2212

CVE-2021-2208

CVE-2021-2203

CVE-2021-2201

CVE-2021-2196

CVE-2021-2194

CVE-2021-2193

CVE-2021-2180

CVE-2021-2179

CVE-2021-2172

CVE-2021-2171

CVE-2021-2170

CVE-2021-2169

CVE-2021-2166

CVE-2021-2164

CVE-2021-2162

CVE-2021-2154

CVE-2021-2146

Latest upstream point releases - includes both security and bug fixes and

possibly incompatible changes etc

MySQL has been updated to 8.0.25 in Ubuntu 20.04 LTS, Ubuntu 20.10, and

Ubuntu 21.04. Ubuntu 18.04 LTS has been updated to MySQL 5.7.34.

[USN-4932-2] Django vulnerability [01:37]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2021-31542

Episode 114 - directory traversal via file upload

[USN-4953-1] AWStats vulnerabilities [01:56]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2017-1000501

CVE-2020-35176

CVE-2020-29600

A-W-Stats - Advanced Web Statistics - log analyzer etc

Incomplete fix for old CVE-2017-1000501 - this itself was incomplete

too - hence CVE-2020-35176

Could be used to read an arbitrary file on the webserver via the config

parameter - and this could allow code execution as this was not

sanitised properly

[USN-4954-1] GNU C Library vulnerabilities [03:00]

2 CVEs addressed in Xenial (16.04 LTS)

CVE-2009-5155

CVE-2020-6096

ARMv7 specific issue - memcpy() undefined behaviour if a negative length

were specified

DoS (assertion failure + abort) via crafted regex - so should not be

passing untrusted regular expressions to posix regex implementation

[USN-4628-3] Intel Microcode vulnerabilities [04:08]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2020-8698

CVE-2020-8696

CVE-2020-8695

Episode 96 - RAPL side-channel etc - corresponding update for some Xeon

processors

[USN-4955-1] Please vulnerabilities [04:44]

3 CVEs addressed in Hirsute (21.04)

CVE-2021-31155

CVE-2021-31154

CVE-2021-31153

sudo replacement written in rust

Code analysis by Matthias Gerstner @ SuSE -

arbitrary file existence test and open (eg could open /dev/zero and

consume memory -> OOM)

unsafe permissions for token directory - create world-writable - can

allow an unprivileged user to get root privileges quite easily by

creating their own token as though they had authenticated

pleaseedit uses predictable paths in /tmp - without symlink protections

could allow a user to change ownership of arbitrary files as it would

follow symlinks

rust is not a panacea - not all vulnerabilities are memory corruption and

writing setuid root binaries is always going to be challenging

[LSN-0077-1] Linux kernel vulnerability [07:04]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3492

shiftfs specific vuln reported via ZDI (found by Vincent Dehors) - Ubuntu

carry this as an out-of-tree patch so doesn’t affect upstream kernel

(used by LXD etc for UID mapping in containers)

Failed to handle faults in copy_from_user() -> double-free or possible

memory leak -> code execution/DoS

[USN-4956-1] Eventlet vulnerability [08:05]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-21419

Python eventlet (concurrent networking library)

Used by a lot of other packages including openstack etc

websocket peer could DoS via memory exhaustion by sending very large

websocket frames

[USN-4957-1, USN-4957-2] DjVuLibre vulnerabilities [08:31]

5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3500

CVE-2021-32493

CVE-2021-32492

CVE-2021-32491

CVE-2021-32490

document format alternative to pdf - for storing scanned documents etc

c++ - memory corruption vulns

heap buffer overflow

oob write

stack buffer overflow

oob read

integer overflow

DoS/RCE

[USN-4958-1] Caribou vulnerability [09:27]

Affecting Focal (20.04 LTS), Groovy (20.10)

Caribou on-screen keyboard could crash if given crafted input - in some

cases, this would then cause the screensaver to crash -> unauthenticated

access to a desktop session

Thanks to Fabio Fantoni and Joshua Peisach (itzswirlz) from the Ubuntu

community for preparing these updates

[USN-4959-1] GStreamer Base Plugins vulnerability [10:11]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3522

OOB read on crafted input since failed to properly check size -> DoS

[USN-4945-2] Linux kernel (Raspberry Pi) vulnerabilities [10:18]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29265

CVE-2021-28660

CVE-2021-28375

CVE-2021-28038

CVE-2020-25639

Episode 115 - regular kernels for Ubuntu 20.04 / 18.04 LTS

Update also for the raspi specific kernel build

Goings on in Ubuntu Security Community

1Password for Linux officially released [10:43]

Episode 86 (August 2020) - beta was announced

Now officially released, includes integration with browser extension to

stay unlocked across both, use of regular desktop authentication to

unlock as well - e.g. fingerprint / yubikey etc - both opt-in features.

Great desktop integration, theme, clipboard, GNOME Keyring / KDE Wallet,

kernel keyring, DBUS API, integration with system lock / idle etc

Feature parity with Windows and MacOS clients PLUS extra features like

Secure file attachment, Watchtower, item archiving / deletion, quick find

and more

Uses kernel keyring to store the key used to establish the connection

between the browser and the desktop client

Backend and lots of underlying libs written in Rust - UI is React

Native packages for Ubuntu (Debian. CentOS, Fedora, RHEL)

Snap

Hiring [13:56]

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 116

Sign up to save your podcasts

Episode 116

Episode 116