Overview
This week we look at Linux kernel updates for all releases, OpenSSH, dovecot, curl and more. Plus we answer some frequently asked questions for Ubuntu security, in particular the perennial favourite of why we choose to just backport security fixes instead of doing rolling package version updates to resolve outstanding CVEs.
This week in Ubuntu Security Updates
[USN-3871-3, USN-3871-4, USN-3871-5] Linux kernel vulnerabilities
13 CVEs addressed in Bionic and Xenial (HWE - backport of Bionic kernel to Xenial)CVE-2018-9516CVE-2018-19407CVE-2018-18281CVE-2018-17972CVE-2018-16882CVE-2018-14625CVE-2018-10883CVE-2018-10880CVE-2018-10882CVE-2018-10878CVE-2018-10877CVE-2018-10879CVE-2018-10876Last week (Episode 19) covered kernel update for Bionic in preparation for 18.04.2this is the corresponding update for various platforms using the Bionic kernel(AWS, GCP, KVM, OEM, Raspberry Pi 2) (Azure)[USN-3878-1, USN-3878-2] Linux kernel vulnerabilities
4 CVEs addressed in CosmicCVE-2018-19854CVE-2018-19407CVE-2018-16882CVE-2018-14625Last week (Episode 19) covered kernel update for Bionic in preparation for 18.04.2Included the Cosmic HWE kernel for Bionic as well - this is the corresponding update for Cosmic itself on all supported platforms (physical and cloud etc)[USN-3879-1, USN-3879-2] Linux kernel vulnerabilities
5 CVEs addressed in Xenial and Trusty (Xenial HWE)CVE-2018-20169CVE-2018-19824CVE-2018-19407CVE-2018-16862CVE-2018-10883OOB read on reading USB device descriptor - need local physical access to connect a malicious device - crash -> DoSUAF in ALSA via a malicious USB sound device that expose zero interfaces - crash -> DoS, possible code executionUninitialised ioapics (Episode 19)Cleancache subsystem - after file truncation (removal), wouldn’t properly clear inode so if a new file was created with the same inode might contain leftover pages from cleancache and hence the data from the old fileOnly affects Ubuntu kernels under Xen with tmem driverext4 - OOB write via malicious crafted image[USN-3880-1, USN-3880-2] Linux kernel vulnerabilities
4 CVEs addressed in Trusty and Precise ESM (Trusty HWE)CVE-2018-9568CVE-2018-18281CVE-2018-17972CVE-2018-1066Possible memory corruption via type confusion when cloning a socket - privilege escalationmremap() issue (covered in Episode 15)procfs stack unwinding to leak kernel stack from other task (covered in Episode 12)NULL pointer dereference in CIFS client in kernel triggered by a malicious server (crash -> DoS)[USN-3881-1, USN-3881-2] Dovecot vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2019-3814Interaction of username / password authentication with trusted SSL cert - can configure for user/pass but can also configure for client to present a trusted certCan configure to take username from cert instead of from explicit username AND also to configure no password if using certBUT if no username in cert, will use specified username - so could log in as any user[USN-3882-1] curl vulnerabilities
3 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-3823CVE-2019-3822CVE-2018-16890OOB read when parsing end of response for SMTPStack buffer overflow when creating an NTLMv2 type-3 header based on previous received data (size checks were not sufficient since they suffered from an integer overflow)OOB read for NTLM type-2 handling via an integer overflow[USN-3883-1] LibreOffice vulnerabilities
5 CVEs addressed in Trusty, XenialCVE-2018-16858CVE-2018-10583CVE-2018-11790CVE-2018-10120CVE-2018-101193 CVEs for mishandling various elements in different document types - UAF, heap-based buffer overflow (write) etc) - crash -> DoS, possible code executionInformation disclosure (leak of NTLM hashes) via an embedded link to a remote SMB resource within a documentDirectory traversal flaw leading to code executiondocument can links which like HTML, can have attributes such as ascript which will get executed without prompting - so onMouseOver()
etc
and this can refer to a file on the local filesystem outside thedocument structure itself
libreoffice ships with it’s own Python interpreter that containsfunctions which can be abused to run arbitrary commands
so can specify both the path to one of these files AND arguments topass to it to run
[USN-3884-1] libarchive vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-1000020CVE-2019-1000019Infinite loop when parsing a specially crafted ISO9660 CD/DVD iso file -> DoSOOB read when decompressing a specially crafted 7z file -> crash -> DoS[USN-3885-1] OpenSSH vulnerabilities
3 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-6111CVE-2019-6109CVE-2018-20685Three vulnerabilities in scp able to be triggered via a malicious server (low probability)Fails to validate file names from the remote server match the requested ones - server can overwrite arbitrary files on local side in the target directoryFails to use proper character encoding in progress display, allows server to manipulate output of client to hide output of additional files being sentFails to check if target filename is . or empty - allows remote server to change permissions of the client local directoryTogether allow a server to easily overwrite local files on the client side without the client user being awareGoings on in Ubuntu Security Community
FAQs about Ubuntu Security
What packages are supported?
main only (~2.3k source packages in Bionic - cf. universe ~26k source packages)What timeframe?
lifetime of the release - so from official release date to EOL dateLTS: 5 years, non-LTS: 9 monthsESM provides security fixes beyond the EOL for LTS releasesWhy do we backport patches instead of just updating to the lastest versions?
Users expect high degree of stabilitychanges need caution and good rationalelots of previous regressions from innocent looking changesno change is completely free of riskOnly changes which have high impact (security fixes, severe regressions, loss of data etc)More details see SRU page on Ubuntu wikiSo security updates must follow suitGet in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
