Sign up to save your podcasts
Or
Share Episode 175
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 175
Overview
An increased rate of CVEs in curl is a good thing, and we’ll tell you why, plus
we cover security updates for the Linux kernel, Firefox, Schroot, systemd and
more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-5474-2] Varnish Cache regression [00:43]
upstream - thanks to community member who reported this and provided the
associated debdiff to fix it
[USN-5572-2, USN-5579-1] Linux kernel vulnerabilities [01:27]
[USN-5580-1] Linux kernel (AWS) vulnerabilities [01:54]
USN-5577-1 in Episode 174
truncate packets below their header size -> remote DoS
[USN-5582-1] Linux kernel (Azure CVM) vulnerabilities [02:42]
protected from VM host
covered back in USN-5557-1 in Episode 172 - all in netfilter / network packet
scheduler subsystems
[USN-5588-1] Linux kernel vulnerability [03:43]
[USN-5589-1] Linux kernel vulnerabilities [03:56]
[USN-5590-1] Linux kernel (OEM) vulnerability [04:24]
size mentioned earlier
[USN-5578-2] Open VM Tools vulnerability [04:34]
[USN-5581-1] Firefox vulnerabilities [04:57]
security restrictions, RCE via malicious web content
[USN-5584-1] Schroot vulnerability [05:25]
many Ubuntu developers - interesting avenue for a supply chain attack perhaps?
name that would then result in schroot corrupting its internal state and then
stopping it from launching any more schroot sessions for any other users on
the machine
[USN-5586-1] SDL vulnerability [07:05]
[USN-5583-1] systemd vulnerability [07:14]
[USN-5585-1] Jupyter Notebook vulnerabilities [07:44]
redirect, info leak etc
Goings on in Ubuntu Security Community
Increased CVE activity in curl [08:09]
noticed an increased rate in CVEs for curl in the last year
in particular on https://curl.se/dashboard1.html#vulns-per-year
(plus curl itself to fetch the data in the first place):
#!/bin/bash
for d in $(curl -s "https://ubuntu.com/security/cves.json?order=newest&package=curl&limit=100" | jq -r ".cves[].published"); do
date +%s -d "$d";
done > curlhist
#!/usr/bin/gnuplot
binwidth = 60*60*24*365 # ~30days in seconds
bin(x,width)=width*floor(x/width) + width/2.0
set xdata time
set datafile missing NaN
set boxwidth binwidth
set xtics format "%Y" time rotate
set style fill solid 0.5 # fill style
set title 'Frequency of curl CVEs in the Ubuntu CVE Tracker by year'
plot 'curlhist' using (bin($1,binwidth)):(1.0) \
smooth freq with boxes notitle
the first place (or actually not introduce it) - but overall it is good they
are being looked for and found and fixed
knowledge of the code - can’t just drive by and find bugs - need to spend a
lot of time getting to know the code and protocols etc well to be able to
find these sorts of issues
security issues
of each CVE in curl - like the Linux kernel, curl developers go back and try
find out what commit introduced a particular vulnerability - they can then
compare the time from when that original commit was introduced to when the
commit which fixes the bug was made
analysis using the data we collect in the Ubuntu CVE Tracker over the years
and found that for kernel vulnerabilities the average lifetime is 5.5 years
per year since 2007
doesn’t tell us if say the same amount of new code is being written each
year - perhaps this is more refactoring / cleanups over time?)
but since the CVE lifetime is growing over time, then more CVEs are being
found in the older code than newer code - and as such the quality of the
code seems to be improving over time
recently sounds bad, this is actually a good thing - it means these long lived
vulnerabilties are being found and fixed - this is a good thing - and the bug
bounty provides a good incentive to first encourage vulns to be looked for and
found and then to make sure they get reported and hence fixed (and not say
hoarded or sold to third parties etc)
exponentially - so over time the number of latent vulns in the curl codebase
is decreasing - and this is definitely a good thing
found and fixed you need to create an environment that encourages that - and
what is more motivating than cold hard cash?
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
An increased rate of CVEs in curl is a good thing, and we’ll tell you why, plus
we cover security updates for the Linux kernel, Firefox, Schroot, systemd and
more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-5474-2] Varnish Cache regression [00:43]
upstream - thanks to community member who reported this and provided the
associated debdiff to fix it
[USN-5572-2, USN-5579-1] Linux kernel vulnerabilities [01:27]
[USN-5580-1] Linux kernel (AWS) vulnerabilities [01:54]
USN-5577-1 in Episode 174
truncate packets below their header size -> remote DoS
[USN-5582-1] Linux kernel (Azure CVM) vulnerabilities [02:42]
protected from VM host
covered back in USN-5557-1 in Episode 172 - all in netfilter / network packet
scheduler subsystems
[USN-5588-1] Linux kernel vulnerability [03:43]
[USN-5589-1] Linux kernel vulnerabilities [03:56]
[USN-5590-1] Linux kernel (OEM) vulnerability [04:24]
size mentioned earlier
[USN-5578-2] Open VM Tools vulnerability [04:34]
[USN-5581-1] Firefox vulnerabilities [04:57]
security restrictions, RCE via malicious web content
[USN-5584-1] Schroot vulnerability [05:25]
many Ubuntu developers - interesting avenue for a supply chain attack perhaps?
name that would then result in schroot corrupting its internal state and then
stopping it from launching any more schroot sessions for any other users on
the machine
[USN-5586-1] SDL vulnerability [07:05]
[USN-5583-1] systemd vulnerability [07:14]
[USN-5585-1] Jupyter Notebook vulnerabilities [07:44]
redirect, info leak etc
Goings on in Ubuntu Security Community
Increased CVE activity in curl [08:09]
noticed an increased rate in CVEs for curl in the last year
in particular on https://curl.se/dashboard1.html#vulns-per-year
(plus curl itself to fetch the data in the first place):
#!/bin/bash
for d in $(curl -s "https://ubuntu.com/security/cves.json?order=newest&package=curl&limit=100" | jq -r ".cves[].published"); do
date +%s -d "$d";
done > curlhist
#!/usr/bin/gnuplot
binwidth = 60*60*24*365 # ~30days in seconds
bin(x,width)=width*floor(x/width) + width/2.0
set xdata time
set datafile missing NaN
set boxwidth binwidth
set xtics format "%Y" time rotate
set style fill solid 0.5 # fill style
set title 'Frequency of curl CVEs in the Ubuntu CVE Tracker by year'
plot 'curlhist' using (bin($1,binwidth)):(1.0) \
smooth freq with boxes notitle
the first place (or actually not introduce it) - but overall it is good they
are being looked for and found and fixed
knowledge of the code - can’t just drive by and find bugs - need to spend a
lot of time getting to know the code and protocols etc well to be able to
find these sorts of issues
security issues
of each CVE in curl - like the Linux kernel, curl developers go back and try
find out what commit introduced a particular vulnerability - they can then
compare the time from when that original commit was introduced to when the
commit which fixes the bug was made
analysis using the data we collect in the Ubuntu CVE Tracker over the years
and found that for kernel vulnerabilities the average lifetime is 5.5 years
per year since 2007
doesn’t tell us if say the same amount of new code is being written each
year - perhaps this is more refactoring / cleanups over time?)
but since the CVE lifetime is growing over time, then more CVEs are being
found in the older code than newer code - and as such the quality of the
code seems to be improving over time
recently sounds bad, this is actually a good thing - it means these long lived
vulnerabilties are being found and fixed - this is a good thing - and the bug
bounty provides a good incentive to first encourage vulns to be looked for and
found and then to make sure they get reported and hence fixed (and not say
hoarded or sold to third parties etc)
exponentially - so over time the number of latent vulns in the curl codebase
is decreasing - and this is definitely a good thing
found and fixed you need to create an environment that encourages that - and
what is more motivating than cold hard cash?
Get in contact