Sign up to save your podcasts
Or
Share Episode 227
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 227
Overview
Ubuntu 24.04 LTS is finally released and we cover all the new security features
it brings, plus we look at security vulnerabilities in, and updates for,
FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.
This week in Ubuntu Security Updates
61 unique CVEs addressed
[USN-6749-1] FreeRDP vulnerabilities (00:45)
[USN-6752-1] FreeRDP vulnerabilities (01:41)
[USN-6657-2] Dnsmasq vulnerabilities (01:54)
[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)
[USN-6750-1] Thunderbird vulnerabilities (02:19)
[USN-6751-1] Zabbix vulnerabilities (02:54)
be able to specify the user’s specific CSRF token - but in older versions only
there was only a session ID which is easier to guess
[USN-6753-1] CryptoJS vulnerability (03:38)
PBKDF2 - SHA1 with a single iteration - makes any passwords protected via
PBKDF2 in crypto-js easier to brute-force from the hashed value - instead
updated to use SHA256 with 250,000 rounds
[USN-6754-1] nghttp2 vulnerabilities (04:32)
releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we
covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 -
all DoS attacks)
which can be sent in a single stream - attacker can send many to cause a DoS
on the server either through CPU by lots of processing or memory by storing
all these headers in memory
[USN-6755-1] GNU cpio vulnerabilities (05:42)
CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the
archive - since it broke the use of the --no-absolute-filenames CLI argument
since focal
[USN-6756-1] less vulnerability (07:10)
to properly quote newlines embedded in a filename - could then allow for
arbitrary code execution if ran less on some untrusted file
less on say a gz compressed log file or even on a tar.gz tarball to list the
files etc
[USN-6757-1] PHP vulnerabilities (08:41)
same network/site could set a cookie via HTTP with one name, which then gets
used by sessions using HTTPS and when using a different cookie name - is a
problem since certain cookie names (like __Host- and __Secure-) have specific
meanings which in general should be allowed to be specified by the network but
only by the browser itself - so can be used to bypass usual restrictions
(apparently this issue was reported upstream by the original reported of the
2022 vuln but it got ignored by upstream till now…)
ie if the actual password started with a NUL byte and the specified a password
was the empty string would verify as true (unlikely to be an issue in practice)
integer overflow -> wraparound -> allocate small amount of memory for a large
number of values -> buffer overflow (low priority since would need to be able
to set this env var first)
[USN-6761-1] Anope vulnerability (11:15)
gain access again
[USN-6758-1] JSON5 vulnerability (11:37)
yaml, does away with a lot of the usual quotes etc
__proto__ key and hence would allow the ability to set arbitrary keys etc
within the returned object -> RCE
[LSN-0103-1] Linux kernel vulnerability (12:46)
Kernel type
22.04
20.04
18.04
aws
103.3
103.3
—
aws-5.15
—
103.3
—
aws-5.4
—
—
103.3
aws-6.5
103.1
—
—
azure
103.3
103.3
—
azure-5.4
—
—
103.3
azure-6.5
103.1
—
—
gcp
103.3
103.3
—
gcp-5.15
—
103.3
—
gcp-5.4
—
—
103.3
gcp-6.5
103.1
—
—
generic-5.15
—
103.3
—
generic-5.4
—
103.3
103.3
gke
103.3
103.3
—
hwe-6.5
103.1
—
—
ibm
103.3
—
—
ibm-5.15
—
103.3
—
linux
103.3
—
—
lowlatency-5.15
—
103.3
—
lowlatency-5.4
—
103.3
103.3
canonical-livepatch status
[USN-6760-1] Gerbv vulnerability (13:01)
Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of
testing with ASan enabled - crafted filename -> crash
[USN-6759-1] FreeRDP vulnerabilities (13:41)
[USN-6737-2] GNU C Library vulnerability
[USN-6729-3] Apache HTTP Server vulnerabilities
[USN-6718-3] curl vulnerabilities
[USN-6733-2] GnuTLS vulnerabilities
[USN-6734-2] libvirt vulnerabilities
[USN-6744-3] Pillow vulnerability
Goings on in Ubuntu Security Community
Ubuntu 24.04 LTS (Noble Numbat) released (14:27)
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
Ubuntu 24.04 LTS is finally released and we cover all the new security features
it brings, plus we look at security vulnerabilities in, and updates for,
FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.
This week in Ubuntu Security Updates
61 unique CVEs addressed
[USN-6749-1] FreeRDP vulnerabilities (00:45)
[USN-6752-1] FreeRDP vulnerabilities (01:41)
[USN-6657-2] Dnsmasq vulnerabilities (01:54)
[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)
[USN-6750-1] Thunderbird vulnerabilities (02:19)
[USN-6751-1] Zabbix vulnerabilities (02:54)
be able to specify the user’s specific CSRF token - but in older versions only
there was only a session ID which is easier to guess
[USN-6753-1] CryptoJS vulnerability (03:38)
PBKDF2 - SHA1 with a single iteration - makes any passwords protected via
PBKDF2 in crypto-js easier to brute-force from the hashed value - instead
updated to use SHA256 with 250,000 rounds
[USN-6754-1] nghttp2 vulnerabilities (04:32)
releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we
covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 -
all DoS attacks)
which can be sent in a single stream - attacker can send many to cause a DoS
on the server either through CPU by lots of processing or memory by storing
all these headers in memory
[USN-6755-1] GNU cpio vulnerabilities (05:42)
CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the
archive - since it broke the use of the --no-absolute-filenames CLI argument
since focal
[USN-6756-1] less vulnerability (07:10)
to properly quote newlines embedded in a filename - could then allow for
arbitrary code execution if ran less on some untrusted file
less on say a gz compressed log file or even on a tar.gz tarball to list the
files etc
[USN-6757-1] PHP vulnerabilities (08:41)
same network/site could set a cookie via HTTP with one name, which then gets
used by sessions using HTTPS and when using a different cookie name - is a
problem since certain cookie names (like __Host- and __Secure-) have specific
meanings which in general should be allowed to be specified by the network but
only by the browser itself - so can be used to bypass usual restrictions
(apparently this issue was reported upstream by the original reported of the
2022 vuln but it got ignored by upstream till now…)
ie if the actual password started with a NUL byte and the specified a password
was the empty string would verify as true (unlikely to be an issue in practice)
integer overflow -> wraparound -> allocate small amount of memory for a large
number of values -> buffer overflow (low priority since would need to be able
to set this env var first)
[USN-6761-1] Anope vulnerability (11:15)
gain access again
[USN-6758-1] JSON5 vulnerability (11:37)
yaml, does away with a lot of the usual quotes etc
__proto__ key and hence would allow the ability to set arbitrary keys etc
within the returned object -> RCE
[LSN-0103-1] Linux kernel vulnerability (12:46)
Kernel type
22.04
20.04
18.04
aws
103.3
103.3
—
aws-5.15
—
103.3
—
aws-5.4
—
—
103.3
aws-6.5
103.1
—
—
azure
103.3
103.3
—
azure-5.4
—
—
103.3
azure-6.5
103.1
—
—
gcp
103.3
103.3
—
gcp-5.15
—
103.3
—
gcp-5.4
—
—
103.3
gcp-6.5
103.1
—
—
generic-5.15
—
103.3
—
generic-5.4
—
103.3
103.3
gke
103.3
103.3
—
hwe-6.5
103.1
—
—
ibm
103.3
—
—
ibm-5.15
—
103.3
—
linux
103.3
—
—
lowlatency-5.15
—
103.3
—
lowlatency-5.4
—
103.3
103.3
canonical-livepatch status
[USN-6760-1] Gerbv vulnerability (13:01)
Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of
testing with ASan enabled - crafted filename -> crash
[USN-6759-1] FreeRDP vulnerabilities (13:41)
[USN-6737-2] GNU C Library vulnerability
[USN-6729-3] Apache HTTP Server vulnerabilities
[USN-6718-3] curl vulnerabilities
[USN-6733-2] GnuTLS vulnerabilities
[USN-6734-2] libvirt vulnerabilities
[USN-6744-3] Pillow vulnerability
Goings on in Ubuntu Security Community
Ubuntu 24.04 LTS (Noble Numbat) released (14:27)
Get in contact