Sign up to save your podcasts
Or
Share Episode 126
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 126
Overview
This week Ubuntu 20.04 LTS was FIPS 140-2 certified plus the AppArmor
project made some point releases, and we released security updates for
Docker, Perl, c-ares, GPSd and more.
This week in Ubuntu Security Updates
2 unique CVEs addressed
[USN-5031-1] openCryptoki vulnerability [00:54]
be done via SRU for 21.04 but instead we published via -security to
ensure all users received it
[USN-5032-1, USN-5032-2] Docker vulnerabilities [02:29]
includes a bunch of security fixes as well
may break existing containers - in particular, drops support for the aufs
storage driver so if you were using this you should upgrade your
configuration to use the overlayfs2 storage driver instead -
https://docs.docker.com/storage/storagedriver/overlayfs-driver/ - this is
a bit involved since you need to export your images, switch the storage
driver, then load the images back one after another
[USN-5033-1] Perl vulnerability [03:32]
current working directory - was introduced by a change in Encode 3.05 in
perl 5.32/5.34 so only affected >= 21.04
[USN-5034-1, USN-5034-2] c-ares vulnerability [03:59]
could allow a remote attacker to possibly perform domain hijacking
attacks
[USN-5035-1] GPSd vulnerability [04:28]
time jumping back 1024 weeks on 2021-10-31
pervasive gpsd is used for handling GPS receivers which are often used
for high precision timing or positioning systems (self-driving cars?) -
this could have real-world security implications
so older versions in 18.04 LTS etc were not affected
Goings on in Ubuntu Security Community
AppArmor 3.0.2 / 3.0.3 released [06:39]
things like PHP 8, widevine DRM in firefox, support reading of crypto
policies for SSL-using applications
FIPS 140-2 certification for Ubuntu 20.04 LTS! [07:44]
the US public sector and Federal government including regulated
industries such as healthcare and finance
including OpenSSL 1.1.1
implementation)
Ubuntu Pro for AWS and Ubuntu Pro for Azure include subscriptions to
Canonical’s FIPS 140-2 repositories, alongside expanded security and
hardening.
for cryptographic modules)
years from the validation date
to provide FIPS 140-3 certified cryptographic packages on a future
release of Ubuntu.
Ubuntu 20.04.3 LTS release delayed until August 26th [10:11]
latest security updates etc - includes newest shim - this is now unified
across various Ubuntu releases - installation media with this new version
fails to boot on certain Dell and Sony Vaio machines - fix for this is in
progress, plus the current RISC-V HWE kernel build PANIC’s under certain
scenarios
can be fixed and new media spun up and tested adequetly before the
release
Hiring [11:27]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week Ubuntu 20.04 LTS was FIPS 140-2 certified plus the AppArmor
project made some point releases, and we released security updates for
Docker, Perl, c-ares, GPSd and more.
This week in Ubuntu Security Updates
2 unique CVEs addressed
[USN-5031-1] openCryptoki vulnerability [00:54]
be done via SRU for 21.04 but instead we published via -security to
ensure all users received it
[USN-5032-1, USN-5032-2] Docker vulnerabilities [02:29]
includes a bunch of security fixes as well
may break existing containers - in particular, drops support for the aufs
storage driver so if you were using this you should upgrade your
configuration to use the overlayfs2 storage driver instead -
https://docs.docker.com/storage/storagedriver/overlayfs-driver/ - this is
a bit involved since you need to export your images, switch the storage
driver, then load the images back one after another
[USN-5033-1] Perl vulnerability [03:32]
current working directory - was introduced by a change in Encode 3.05 in
perl 5.32/5.34 so only affected >= 21.04
[USN-5034-1, USN-5034-2] c-ares vulnerability [03:59]
could allow a remote attacker to possibly perform domain hijacking
attacks
[USN-5035-1] GPSd vulnerability [04:28]
time jumping back 1024 weeks on 2021-10-31
pervasive gpsd is used for handling GPS receivers which are often used
for high precision timing or positioning systems (self-driving cars?) -
this could have real-world security implications
so older versions in 18.04 LTS etc were not affected
Goings on in Ubuntu Security Community
AppArmor 3.0.2 / 3.0.3 released [06:39]
things like PHP 8, widevine DRM in firefox, support reading of crypto
policies for SSL-using applications
FIPS 140-2 certification for Ubuntu 20.04 LTS! [07:44]
the US public sector and Federal government including regulated
industries such as healthcare and finance
including OpenSSL 1.1.1
implementation)
Ubuntu Pro for AWS and Ubuntu Pro for Azure include subscriptions to
Canonical’s FIPS 140-2 repositories, alongside expanded security and
hardening.
for cryptographic modules)
years from the validation date
to provide FIPS 140-3 certified cryptographic packages on a future
release of Ubuntu.
Ubuntu 20.04.3 LTS release delayed until August 26th [10:11]
latest security updates etc - includes newest shim - this is now unified
across various Ubuntu releases - installation media with this new version
fails to boot on certain Dell and Sony Vaio machines - fix for this is in
progress, plus the current RISC-V HWE kernel build PANIC’s under certain
scenarios
can be fixed and new media spun up and tested adequetly before the
release
Hiring [11:27]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact