Sign up to save your podcasts
Or
Share Episode 146
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 146
Overview
Ubuntu 21.04 goes EOL soon, plus we cover security updates for Django, the Linux kernel, Apache httpd2 + Log4j2, Ghostscript and more.
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-5204-1] Django vulnerabilities [00:45]
Storage.save() with crafted file names
make method calls when passing in a crafted key - Django upstream remind
that should always validate user input before use
entire submitted password for similarity which (when passed a very long
password) would use a lot of CPU - fixed to discard anything with a
length that was significantly different than the supplied password
[USN-5206-1] Linux kernel (OEM) vulnerability [02:08]
don’t get flushed, a local attacker could then possibly read or alter
stale data from other processes which are using huge pages
opt in by using mmap() or SYSV shmem syscalls with the SHM_HUGETLB flag
requirements as they can preallocate memory using much larger page
sizes which gives performance benefits since many less TLB entries for
the same amount of memory compared to using standard size 4K pages
[USN-5207-1] Linux kernel (OEM) vulnerabilities [04:26]
privileged attacker to modify maps that were meant to be read-only
by local unprivileged users to cause DoS / possible code execution
[USN-5208-1] Linux kernel vulnerabilities [06:01]
5.11 HWE kernel series for Ubuntu 20.04 LTS
[USN-5209-1] Linux kernel vulnerabilities [06:38]
Ubuntu 16.04 ESM, 4.15 kernel for Ubuntu 14.04 ESM on Azure
[USN-5210-1] Linux kernel vulnerabilities
18.04 LTS
[USN-5211-1] Linux kernel vulnerability
14.04 ESM
[USN-5219-1] Linux kernel vulnerability
5.11 HWE kernel series for Ubuntu 20.04 LTS
[USN-5217-1] Linux kernel (OEM) vulnerabilities
[USN-5218-1] Linux kernel (OEM) vulnerabilities
[LSN-0083-1] Linux kernel vulnerability [07:33]
the kernel
[USN-5212-1, USN-5212-2] Apache HTTP Server vulnerabilities [08:54]
[USN-5213-1] WebKitGTK vulnerabilities [09:37]
[USN-5043-2] Exiv2 regression [10:10]
debdiff to fix this issue
[USN-5222-1] Apache Log4j 2 vulnerabilities [11:06]
use a JDBC appender - ie configured to write event logs to a relational
database table via standard JDBC
attacker to be able to control Thread Context Map data as well as be
able to supply crafted strings to get logged
[USN-5224-1] Ghostscript vulnerabilities [12:21]
were more logic bugs in the sandbox etc) - in this case a UAF and a heap
buffer overflow -> crash / RCE
Goings on in Ubuntu Security Community
Ubuntu 21.04 EOL [13:31]
another 6 months more until July 2022
Ubuntu Security Podcast back on break for 2 weeks [14:37]
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
Ubuntu 21.04 goes EOL soon, plus we cover security updates for Django, the Linux kernel, Apache httpd2 + Log4j2, Ghostscript and more.
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-5204-1] Django vulnerabilities [00:45]
Storage.save() with crafted file names
make method calls when passing in a crafted key - Django upstream remind
that should always validate user input before use
entire submitted password for similarity which (when passed a very long
password) would use a lot of CPU - fixed to discard anything with a
length that was significantly different than the supplied password
[USN-5206-1] Linux kernel (OEM) vulnerability [02:08]
don’t get flushed, a local attacker could then possibly read or alter
stale data from other processes which are using huge pages
opt in by using mmap() or SYSV shmem syscalls with the SHM_HUGETLB flag
requirements as they can preallocate memory using much larger page
sizes which gives performance benefits since many less TLB entries for
the same amount of memory compared to using standard size 4K pages
[USN-5207-1] Linux kernel (OEM) vulnerabilities [04:26]
privileged attacker to modify maps that were meant to be read-only
by local unprivileged users to cause DoS / possible code execution
[USN-5208-1] Linux kernel vulnerabilities [06:01]
5.11 HWE kernel series for Ubuntu 20.04 LTS
[USN-5209-1] Linux kernel vulnerabilities [06:38]
Ubuntu 16.04 ESM, 4.15 kernel for Ubuntu 14.04 ESM on Azure
[USN-5210-1] Linux kernel vulnerabilities
18.04 LTS
[USN-5211-1] Linux kernel vulnerability
14.04 ESM
[USN-5219-1] Linux kernel vulnerability
5.11 HWE kernel series for Ubuntu 20.04 LTS
[USN-5217-1] Linux kernel (OEM) vulnerabilities
[USN-5218-1] Linux kernel (OEM) vulnerabilities
[LSN-0083-1] Linux kernel vulnerability [07:33]
the kernel
[USN-5212-1, USN-5212-2] Apache HTTP Server vulnerabilities [08:54]
[USN-5213-1] WebKitGTK vulnerabilities [09:37]
[USN-5043-2] Exiv2 regression [10:10]
debdiff to fix this issue
[USN-5222-1] Apache Log4j 2 vulnerabilities [11:06]
use a JDBC appender - ie configured to write event logs to a relational
database table via standard JDBC
attacker to be able to control Thread Context Map data as well as be
able to supply crafted strings to get logged
[USN-5224-1] Ghostscript vulnerabilities [12:21]
were more logic bugs in the sandbox etc) - in this case a UAF and a heap
buffer overflow -> crash / RCE
Goings on in Ubuntu Security Community
Ubuntu 21.04 EOL [13:31]
another 6 months more until July 2022
Ubuntu Security Podcast back on break for 2 weeks [14:37]
Get in contact