Sign up to save your podcasts
Or
Share Episode 174
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 174
Overview
This week we cover the debate around the decision in Ubuntu 22.10 to disable
presenting platform security assessments to end users via GNOME, plus we look at
security updates for zlib, PostgreSQL, the Linux kernel, Exim and more.
This week in Ubuntu Security Updates
12 unique CVEs addressed
[USN-5570-1, USN-5573-1] zlib and rsync vulnerability [00:43]
call the inflateGetHeader() function so not everything that uses zlib would be
affected - impact is DoS via crash
couple different patches to fix this
already been identified and fixed upstream but some other distros who were
quicker off-the-mark were affected by the regression
of zlib - but on newer releases rsync uses the system install zlib and so once
that is patched then rsync is also effectively patched too
[USN-5571-1] PostgreSQL vulnerability [02:12]
extensions - some of these are bundled with postgres itself and some may come
from external sources - was fixed however in the core postgres server so no
need to modify/fix other extensions to remediate this vuln - just need to
update to this new patched version
[USN-5572-1] Linux kernel (AWS) vulnerabilities [02:45]
and another in the PV frontend - both of which failed to properly initialise
memory - could then allow a local attacker to see guest memory contents
unrelated data when communicating with various backends - could then possibly
lead to a crash of the guest or info leak of guest memory etc
[USN-5577-1] Linux kernel (OEM) vulnerabilities [03:38]
DoS
sizes -> OOB write -> DoS/codeexec->privesc
[USN-5574-1] Exim vulnerability [04:11]
configurations - failed to account for terminating NUL byte and so could
overwrite this and hence leave a string without a trailing NUL - run of end of
string -> subsequent further buffer overflow
items references the global variable sender_host_name so unlikely to affect
most installations
[USN-5575-1, USN-5575-2] Libxslt vulnerabilities [05:06]
via crafted HTML
well
[USN-5576-1] Twisted vulnerability [05:41]
then allow requests which should have been blocked and hence lead to desync if
requests pass though multiple parsers -> request smuggling -> access to
privileged endpoints etc
[USN-5578-1] Open VM Tools vulnerability [06:23]
requests - could then allow a local user who has non-admin access to a guest
VM to escalate privileges and gain root within the VM
Goings on in Ubuntu Security Community
Ubuntu 22.10 To Disable GNOME 43’s ‘Device Security’ Panel [07:09]
GNOME Control Center / Settings
vendors to build and provide security configurations OOTB
of hardware platforms
details from LVFS for the firmware of the machine and the results can be
viewed in g-c-c
easily increase their security / get to a higher level of conformance
take to remediate it
but this has the chance of breaking things
is already done in Ubuntu for the vast majority of packages but not for
the kernel - still waiting on Intel to upstream patches required to make
this work)
you don’t get it right
especially if they want to try and increase security awareness etc, this
needs to be actionable - and be actionable from the same place as the info
is displayed - ie in g-c-c itself
secure for the user this needs to be super robust to make sure we still
don’t brick machines etc
to be included for Ubuntu 22.10 in such a prominent way
fwupdmgr security
The HSI specification is not yet complete. To ignore this warning, use --force
time
“I suppose that not knowing is more secure?”
would just create alarm with no easy actions for a user to take to remediate
it - since then there is a risk of DoS by say enabling secure boot when
unknowingly using unsigned drivers etc
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we cover the debate around the decision in Ubuntu 22.10 to disable
presenting platform security assessments to end users via GNOME, plus we look at
security updates for zlib, PostgreSQL, the Linux kernel, Exim and more.
This week in Ubuntu Security Updates
12 unique CVEs addressed
[USN-5570-1, USN-5573-1] zlib and rsync vulnerability [00:43]
call the inflateGetHeader() function so not everything that uses zlib would be
affected - impact is DoS via crash
couple different patches to fix this
already been identified and fixed upstream but some other distros who were
quicker off-the-mark were affected by the regression
of zlib - but on newer releases rsync uses the system install zlib and so once
that is patched then rsync is also effectively patched too
[USN-5571-1] PostgreSQL vulnerability [02:12]
extensions - some of these are bundled with postgres itself and some may come
from external sources - was fixed however in the core postgres server so no
need to modify/fix other extensions to remediate this vuln - just need to
update to this new patched version
[USN-5572-1] Linux kernel (AWS) vulnerabilities [02:45]
and another in the PV frontend - both of which failed to properly initialise
memory - could then allow a local attacker to see guest memory contents
unrelated data when communicating with various backends - could then possibly
lead to a crash of the guest or info leak of guest memory etc
[USN-5577-1] Linux kernel (OEM) vulnerabilities [03:38]
DoS
sizes -> OOB write -> DoS/codeexec->privesc
[USN-5574-1] Exim vulnerability [04:11]
configurations - failed to account for terminating NUL byte and so could
overwrite this and hence leave a string without a trailing NUL - run of end of
string -> subsequent further buffer overflow
items references the global variable sender_host_name so unlikely to affect
most installations
[USN-5575-1, USN-5575-2] Libxslt vulnerabilities [05:06]
via crafted HTML
well
[USN-5576-1] Twisted vulnerability [05:41]
then allow requests which should have been blocked and hence lead to desync if
requests pass though multiple parsers -> request smuggling -> access to
privileged endpoints etc
[USN-5578-1] Open VM Tools vulnerability [06:23]
requests - could then allow a local user who has non-admin access to a guest
VM to escalate privileges and gain root within the VM
Goings on in Ubuntu Security Community
Ubuntu 22.10 To Disable GNOME 43’s ‘Device Security’ Panel [07:09]
GNOME Control Center / Settings
vendors to build and provide security configurations OOTB
of hardware platforms
details from LVFS for the firmware of the machine and the results can be
viewed in g-c-c
easily increase their security / get to a higher level of conformance
take to remediate it
but this has the chance of breaking things
is already done in Ubuntu for the vast majority of packages but not for
the kernel - still waiting on Intel to upstream patches required to make
this work)
you don’t get it right
especially if they want to try and increase security awareness etc, this
needs to be actionable - and be actionable from the same place as the info
is displayed - ie in g-c-c itself
secure for the user this needs to be super robust to make sure we still
don’t brick machines etc
to be included for Ubuntu 22.10 in such a prominent way
fwupdmgr security
The HSI specification is not yet complete. To ignore this warning, use --force
time
“I suppose that not knowing is more secure?”
would just create alarm with no easy actions for a user to take to remediate
it - since then there is a risk of DoS by say enabling secure boot when
unknowingly using unsigned drivers etc
Get in contact