Sign up to save your podcasts
Or
Share Episode 118
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 118
Overview
This week we look at DMCA notices sent against Ubuntu ISOs plus security
updates for nginx, DHCP, Lasso, Django, Dnsmasq and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4967-1, USN-4967-2] nginx vulnerability [00:50]
UDP so could possibly be more easily forged than TCP (less state) -
crash, RCE
[USN-4968-1, USN-4968-2] LZ4 vulnerability [01:27]
[USN-4969-1, USN-4969-2] DHCP vulnerability [01:52]
both dhclient and dhcpd - DoS. In case of dhcpd could also cause that
lease to be deleted (and the one that follows it in the lease database).
ISC claim impact is LESS is using compiler hardening
(stack-protector-strong) - since in this case will trigger an abort - but
if not used it will keep running…
[USN-4970-1] GUPnP vulnerability [03:15]
cause the local web browser into triggering actions against local UPnP
services that use gupnp library as it would not check that the Host
header specified the expected IP address. Could then be used for data
exfil / tampering etc.
rebinding
[USN-4971-1] libwebp vulnerabilities [04:11]
video codec using predictive encoding - uses neighboring pixels to
predict values in a block and then encodes only the difference)
[USN-4972-1] PostgreSQL vulnerabilities [05:05]
these updates
[USN-4973-1] Python vulnerability [05:44]
in octets of an IP address - could allow bypass of access controls that
are based on IP addresses. Now treats leading zeros as invalid input
(before would try and treat them as octal… but could end up confused as
a result)
[USN-4974-1] Lasso vulnerability [06:40]
product) - and coordinated between affected distros and vendors etc
(Security Assertion Markup Language v2) for authentication
additional unsigned assertions appened to this, these unsigned assertions
would be treated as valid as well.
assertion and append assertions for other users to the end to then
impersonate those other users.
[USN-4975-1] Django vulnerabilities [08:19]
inject other headers into responses etc
probe for the existence of files or possibly obtain their contents
above
[USN-4976-1] Dnsmasq vulnerability [08:56]
forwarding queries when configured to use a specific server for a given
network interface - could then allow a remote attacker to more easily
perform cache poisoning attacks (ie just need to guess the transmission
ID once know the source port to get a forged reply accepted)
Kaminsky - the whole reason source port randomisation was introduced as
part of the DNS protocol
Goings on in Ubuntu Security Community
Ubuntu user’s DMCA violation [09:58]
bittorrent received a DMCA violation notice from their ISP (Comcast)
unknown parties across multiple streaming platforms
the notice and sent it to the user…
looking into it as well
Paramount Pictures used the DMCA to send a takedown request to Google to
remove a search result linking to the Ubuntu 12.04.2 alternate ISO at
extratorrent.cc - this was listed as apparently being a link to the
Transformers: Age of Extinction movie…
the sheer volume of such requests they get per day (3 million p/d
pirate URLs to be removed from search results)
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we look at DMCA notices sent against Ubuntu ISOs plus security
updates for nginx, DHCP, Lasso, Django, Dnsmasq and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4967-1, USN-4967-2] nginx vulnerability [00:50]
UDP so could possibly be more easily forged than TCP (less state) -
crash, RCE
[USN-4968-1, USN-4968-2] LZ4 vulnerability [01:27]
[USN-4969-1, USN-4969-2] DHCP vulnerability [01:52]
both dhclient and dhcpd - DoS. In case of dhcpd could also cause that
lease to be deleted (and the one that follows it in the lease database).
ISC claim impact is LESS is using compiler hardening
(stack-protector-strong) - since in this case will trigger an abort - but
if not used it will keep running…
[USN-4970-1] GUPnP vulnerability [03:15]
cause the local web browser into triggering actions against local UPnP
services that use gupnp library as it would not check that the Host
header specified the expected IP address. Could then be used for data
exfil / tampering etc.
rebinding
[USN-4971-1] libwebp vulnerabilities [04:11]
video codec using predictive encoding - uses neighboring pixels to
predict values in a block and then encodes only the difference)
[USN-4972-1] PostgreSQL vulnerabilities [05:05]
these updates
[USN-4973-1] Python vulnerability [05:44]
in octets of an IP address - could allow bypass of access controls that
are based on IP addresses. Now treats leading zeros as invalid input
(before would try and treat them as octal… but could end up confused as
a result)
[USN-4974-1] Lasso vulnerability [06:40]
product) - and coordinated between affected distros and vendors etc
(Security Assertion Markup Language v2) for authentication
additional unsigned assertions appened to this, these unsigned assertions
would be treated as valid as well.
assertion and append assertions for other users to the end to then
impersonate those other users.
[USN-4975-1] Django vulnerabilities [08:19]
inject other headers into responses etc
probe for the existence of files or possibly obtain their contents
above
[USN-4976-1] Dnsmasq vulnerability [08:56]
forwarding queries when configured to use a specific server for a given
network interface - could then allow a remote attacker to more easily
perform cache poisoning attacks (ie just need to guess the transmission
ID once know the source port to get a forged reply accepted)
Kaminsky - the whole reason source port randomisation was introduced as
part of the DNS protocol
Goings on in Ubuntu Security Community
Ubuntu user’s DMCA violation [09:58]
bittorrent received a DMCA violation notice from their ISP (Comcast)
unknown parties across multiple streaming platforms
the notice and sent it to the user…
looking into it as well
Paramount Pictures used the DMCA to send a takedown request to Google to
remove a search result linking to the Ubuntu 12.04.2 alternate ISO at
extratorrent.cc - this was listed as apparently being a link to the
Transformers: Age of Extinction movie…
the sheer volume of such requests they get per day (3 million p/d
pirate URLs to be removed from search results)
Get in contact