Sign up to save your podcasts
Or
Share Episode 195
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 195
Overview
Alex and Camila discuss security update management strategies after a recent
outage at Datadog was attributed to a security update for systemd on Ubuntu,
plus we look at security vulnerabilities in the Linux kernel, OpenStack,
Synapse, OpenJDK and more.
This week in Ubuntu Security Updates
66 unique CVEs addressed
[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)
simply removes this classifier from the kernel
[USN-6070-1] Linux kernel vulnerabilities (01:37)
[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)
([USN-6057-1] Linux kernel
(Intel IoTG) vulnerabilities from Episode 194), race-condition in handling
of handling of copy-on-write read-only shared memory mappings - unpriv user
could then get write on these read-only mappings -> privesc
[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)
[USN-6079-1] Linux kernel vulnerabilities (02:49)
[USN-6080-1] Linux kernel vulnerabilities (02:55)
[USN-6081-1] Linux kernel vulnerabilities (03:02)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)
(compute / virtual server provisioning) could result in storage volumes being
attached to the wrong compute instances - would happen when trying to detach a
volume from an instance
[USN-6073-5] Nova regression
volumes from instances
[USN-6074-1] Firefox vulnerabilities (04:15)
[USN-6074-2] Firefox regressions (04:27)
[USN-6075-1] Thunderbird vulnerabilities (04:36)
[USN-6060-3] MySQL regression (05:02)
would crash on startup - to fix, reverted an upstream commit which was
introduced to help with performance of atomic operations
[USN-6076-1] Synapse vulnerabilities (05:39)
visibility rules, DoS - exploited in the wild, insufficient randomness when
generating random IDs made them guessable, ability for unauthorised users to
hijack rooms, more predictable randomness which could allow remote attackers
to impersonate users, event spoofing due to improper signature validation -
some of these require to be the admin of a room or to have a malicious server
etc - but since Matrix is federated, this is not so implausible
[USN-6078-1] libwebp vulnerability (06:38)
[USN-6077-1] OpenJDK vulnerabilities (06:45)
for OpenJDK versions 20, 17, 11 and 8 across the various Ubuntu releases
[USN-6082-1] EventSource vulnerability (07:02)
authorisation headers to third party applications - but should have been
sanitising headers to avoid this as per same-origin-policy
Goings on in Ubuntu Security Community
Datadog outage and management of security updates (07:32)
that was triggered by a security update for systemd and the pros and cons of
automatic security updates plus other approaches which can be taken to allow
updates to be applied in a more controlled manner
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
Alex and Camila discuss security update management strategies after a recent
outage at Datadog was attributed to a security update for systemd on Ubuntu,
plus we look at security vulnerabilities in the Linux kernel, OpenStack,
Synapse, OpenJDK and more.
This week in Ubuntu Security Updates
66 unique CVEs addressed
[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)
simply removes this classifier from the kernel
[USN-6070-1] Linux kernel vulnerabilities (01:37)
[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)
([USN-6057-1] Linux kernel
(Intel IoTG) vulnerabilities from Episode 194), race-condition in handling
of handling of copy-on-write read-only shared memory mappings - unpriv user
could then get write on these read-only mappings -> privesc
[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)
[USN-6079-1] Linux kernel vulnerabilities (02:49)
[USN-6080-1] Linux kernel vulnerabilities (02:55)
[USN-6081-1] Linux kernel vulnerabilities (03:02)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)
(compute / virtual server provisioning) could result in storage volumes being
attached to the wrong compute instances - would happen when trying to detach a
volume from an instance
[USN-6073-5] Nova regression
volumes from instances
[USN-6074-1] Firefox vulnerabilities (04:15)
[USN-6074-2] Firefox regressions (04:27)
[USN-6075-1] Thunderbird vulnerabilities (04:36)
[USN-6060-3] MySQL regression (05:02)
would crash on startup - to fix, reverted an upstream commit which was
introduced to help with performance of atomic operations
[USN-6076-1] Synapse vulnerabilities (05:39)
visibility rules, DoS - exploited in the wild, insufficient randomness when
generating random IDs made them guessable, ability for unauthorised users to
hijack rooms, more predictable randomness which could allow remote attackers
to impersonate users, event spoofing due to improper signature validation -
some of these require to be the admin of a room or to have a malicious server
etc - but since Matrix is federated, this is not so implausible
[USN-6078-1] libwebp vulnerability (06:38)
[USN-6077-1] OpenJDK vulnerabilities (06:45)
for OpenJDK versions 20, 17, 11 and 8 across the various Ubuntu releases
[USN-6082-1] EventSource vulnerability (07:02)
authorisation headers to third party applications - but should have been
sanitising headers to avoid this as per same-origin-policy
Goings on in Ubuntu Security Community
Datadog outage and management of security updates (07:32)
that was triggered by a security update for systemd and the pros and cons of
automatic security updates plus other approaches which can be taken to allow
updates to be applied in a more controlled manner
Get in contact