Sign up to save your podcasts
Or
Share Episode 138
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 138
Overview
This week we discuss some of the challenges and trade-offs encountered when
providing security support for ageing software, plus we discuss security
updates for the Linux kernel, Firejail, Samba, PostgreSQL and more.
This week in Ubuntu Security Updates
42 unique CVEs addressed
[USN-5138-1] python-py vulnerability [00:38]
features which are now in standard lib or other packages - has been
deprecated
[USN-5139-1] Linux kernel (OEM 5.10) vulnerabilities [01:25]
[USN-5140-1] Linux kernel (OEM 5.14) vulnerabilities [02:12]
[USN-5137-2] Linux kernel vulnerabilities [02:33]
[LSN-0082-1] Linux kernel vulnerability [03:05]
BPF verifier - code-exec -> privesc
[USN-5141-1] Firejail vulnerability [03:48]
for overlayfs since was deemed - thanks to Reiner Herrmann for providing
this update
[USN-5142-1] Samba vulnerabilities [04:43]
domain members since Samba might incorrectly map local users to domain
members, plus incorrect handling of Kerberos tickets such that delegated
users could become domain admin by confusing Samba on which user a ticket
represented
changed behaviour regarding matching AD users to local users - would
previously fallback to a local user but now does not to avoid someone
specifying DOMAIN/root and then having that fallback to say root on the
local machine
[USN-5144-1] OpenEXR vulnerability [05:55]
[USN-5145-1] PostgreSQL vulnerabilities [06:08]
attacker to inject arbitrary SQL queries on the initial connection
establishment (similar to various STARTTLS vulns which have been seen
recently) - would process data sent in the clear before the TLS
connection had been established but should just throw this away
12.9 - focal, 10.19 - bionic)
[USN-5147-1] Vim vulnerabilities [07:13]
considered a real security mechanism), various memory corruption issues
too
[USN-5149-1] AccountsService vulnerability [08:01]
daemon which can be triggered by an unprivileged user - is due to a
Ubuntu specific patch which we include so that when the user selects a
language / format we save this in their ~/.pam_environment to keep
settings in sync
then it would get freed again by the original code
[USN-5148-1] hivex vulnerability [09:24]
Goings on in Ubuntu Security Community
How to handle large security updates in outdated software versions? [09:56]
without a lot of work or risk of regression since those releases already
used a more recent version like 4.11 etc so the change in behaviour as a
result of upgrading was so large and other packages in the archive were
still compatible with this new version
686 individual patches - bionic has Samba 4.7 and so would require a lot
of manual work to backport these ~700 patches, and the risk of
introducing a regression (ie breaking something) when backporting such a
large set of changes is higher
not cognisant of all the possible pitfalls etc
later releases, other packages like talloc, tdb, tevent and ldb and these
would all need to be upgraded as well
older Samba currently in bionic does
Python3 but it isn’t clear if the required Python3 dependencies even
exist in the 18.04 archive - so they man need to be backported and
introduced there as well
of regression
difficulties involved in doing security support for old software versions
which upstream has ceased to provide support
support periods for various packages - Bionic is still in it’s LTS phase
till 2023 so not even in ESM and already has trouble for Samba
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we discuss some of the challenges and trade-offs encountered when
providing security support for ageing software, plus we discuss security
updates for the Linux kernel, Firejail, Samba, PostgreSQL and more.
This week in Ubuntu Security Updates
42 unique CVEs addressed
[USN-5138-1] python-py vulnerability [00:38]
features which are now in standard lib or other packages - has been
deprecated
[USN-5139-1] Linux kernel (OEM 5.10) vulnerabilities [01:25]
[USN-5140-1] Linux kernel (OEM 5.14) vulnerabilities [02:12]
[USN-5137-2] Linux kernel vulnerabilities [02:33]
[LSN-0082-1] Linux kernel vulnerability [03:05]
BPF verifier - code-exec -> privesc
[USN-5141-1] Firejail vulnerability [03:48]
for overlayfs since was deemed - thanks to Reiner Herrmann for providing
this update
[USN-5142-1] Samba vulnerabilities [04:43]
domain members since Samba might incorrectly map local users to domain
members, plus incorrect handling of Kerberos tickets such that delegated
users could become domain admin by confusing Samba on which user a ticket
represented
changed behaviour regarding matching AD users to local users - would
previously fallback to a local user but now does not to avoid someone
specifying DOMAIN/root and then having that fallback to say root on the
local machine
[USN-5144-1] OpenEXR vulnerability [05:55]
[USN-5145-1] PostgreSQL vulnerabilities [06:08]
attacker to inject arbitrary SQL queries on the initial connection
establishment (similar to various STARTTLS vulns which have been seen
recently) - would process data sent in the clear before the TLS
connection had been established but should just throw this away
12.9 - focal, 10.19 - bionic)
[USN-5147-1] Vim vulnerabilities [07:13]
considered a real security mechanism), various memory corruption issues
too
[USN-5149-1] AccountsService vulnerability [08:01]
daemon which can be triggered by an unprivileged user - is due to a
Ubuntu specific patch which we include so that when the user selects a
language / format we save this in their ~/.pam_environment to keep
settings in sync
then it would get freed again by the original code
[USN-5148-1] hivex vulnerability [09:24]
Goings on in Ubuntu Security Community
How to handle large security updates in outdated software versions? [09:56]
without a lot of work or risk of regression since those releases already
used a more recent version like 4.11 etc so the change in behaviour as a
result of upgrading was so large and other packages in the archive were
still compatible with this new version
686 individual patches - bionic has Samba 4.7 and so would require a lot
of manual work to backport these ~700 patches, and the risk of
introducing a regression (ie breaking something) when backporting such a
large set of changes is higher
not cognisant of all the possible pitfalls etc
later releases, other packages like talloc, tdb, tevent and ldb and these
would all need to be upgraded as well
older Samba currently in bionic does
Python3 but it isn’t clear if the required Python3 dependencies even
exist in the 18.04 archive - so they man need to be backported and
introduced there as well
of regression
difficulties involved in doing security support for old software versions
which upstream has ceased to provide support
support periods for various packages - Bionic is still in it’s LTS phase
till 2023 so not even in ESM and already has trouble for Samba
Get in contact