Sign up to save your podcasts
Or
Share Episode 193
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 193
Overview
The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some of
the things the security team has been doing along the way, plus it’s our 6000th
USN so we look back at the last 19 years of USNs whilst covering security
updates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more.
This week in Ubuntu Security Updates
109 unique CVEs addressed
[USN-5998-1] Apache Log4j vulnerabilities (01:00)
not deemed as critical
[USN-6000-1] Linux kernel (BlueField) vulnerabilities (01:37)
episodes)
[USN-6001-1] Linux kernel (AWS) vulnerabilities (04:18)
update this week - thanks as always to the kernel team for all their work on
these
[USN-6004-1] Linux kernel (Intel IoTG) vulnerabilities (04:42)
[USN-6007-1] Linux kernel (GCP) vulnerabilities (04:51)
[USN-6009-1] Linux kernel (GCP) vulnerabilities
[USN-6003-1] Emacs vulnerability (05:03)
if used org-mode to output to a latex document which included other documents
that had shell metacharacters in their filenames, could get code execution as
the user running Emacs
[USN-6002-1] Irssi vulnerability (05:45)
outputting a line that was formatted - only likely to be able to be triggered
by various scripts - was discovered after a recent update to GLib 2.75 which
stopped using it’s own internal memory allocator and instead switched to
regular malloc() / free() - would then trigger the memory checking of libc
which detected this
[USN-6005-1] Sudo vulnerabilities (07:25)
be used to list or play back the commands executed in a sudo session) - and so
could allow an attacker to get code execution as the user running sudoreplay
by injecting terminal control characters
[USN-6010-1] Firefox vulnerabilities (08:45)
downloaded .desktop files - could allow an attacker to get code execution as
the user running firefox - interesting to note that as a snap, firefox is
confined by default and cannot execute arbitrary commands from the host
system - can only use binaries from within the firefox snap itself or the
user’s $HOME which makes exploitation of such an issue harder since less
LOLBins to make use of
[USN-6011-1] Json-smart vulnerabilities (10:00)
unclosed quotes and the other in unclosed brackets - both could allow an
attacker to DoS the application through crafted input
Goings on in Ubuntu Security Community
Preparing for the release of Ubuntu 23.04 (Lunar Lobster) (10:36)
this cycle:
dbus-daemon in a future Ubuntu release
improved integrity of snaps
Ubuntu Security Podcast on 2 weeks break
product roadmap sprint in Prague
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some of
the things the security team has been doing along the way, plus it’s our 6000th
USN so we look back at the last 19 years of USNs whilst covering security
updates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more.
This week in Ubuntu Security Updates
109 unique CVEs addressed
[USN-5998-1] Apache Log4j vulnerabilities (01:00)
not deemed as critical
[USN-6000-1] Linux kernel (BlueField) vulnerabilities (01:37)
episodes)
[USN-6001-1] Linux kernel (AWS) vulnerabilities (04:18)
update this week - thanks as always to the kernel team for all their work on
these
[USN-6004-1] Linux kernel (Intel IoTG) vulnerabilities (04:42)
[USN-6007-1] Linux kernel (GCP) vulnerabilities (04:51)
[USN-6009-1] Linux kernel (GCP) vulnerabilities
[USN-6003-1] Emacs vulnerability (05:03)
if used org-mode to output to a latex document which included other documents
that had shell metacharacters in their filenames, could get code execution as
the user running Emacs
[USN-6002-1] Irssi vulnerability (05:45)
outputting a line that was formatted - only likely to be able to be triggered
by various scripts - was discovered after a recent update to GLib 2.75 which
stopped using it’s own internal memory allocator and instead switched to
regular malloc() / free() - would then trigger the memory checking of libc
which detected this
[USN-6005-1] Sudo vulnerabilities (07:25)
be used to list or play back the commands executed in a sudo session) - and so
could allow an attacker to get code execution as the user running sudoreplay
by injecting terminal control characters
[USN-6010-1] Firefox vulnerabilities (08:45)
downloaded .desktop files - could allow an attacker to get code execution as
the user running firefox - interesting to note that as a snap, firefox is
confined by default and cannot execute arbitrary commands from the host
system - can only use binaries from within the firefox snap itself or the
user’s $HOME which makes exploitation of such an issue harder since less
LOLBins to make use of
[USN-6011-1] Json-smart vulnerabilities (10:00)
unclosed quotes and the other in unclosed brackets - both could allow an
attacker to DoS the application through crafted input
Goings on in Ubuntu Security Community
Preparing for the release of Ubuntu 23.04 (Lunar Lobster) (10:36)
this cycle:
dbus-daemon in a future Ubuntu release
improved integrity of snaps
Ubuntu Security Podcast on 2 weeks break
product roadmap sprint in Prague
Get in contact