Overview
This week we take a look at the recent Crowdstrike outage and what we can learn
from it compared to the testing and release process for security updates in
Ubuntu, plus we cover details of vulnerabilities in poppler, phpCAS, EDK II,
Python, OpenJDK and one package with over 300 CVE fixes in a single update.
This week in Ubuntu Security Updates
462 unique CVEs addressed
[USN-6915-1] poppler vulnerability (01:35)
1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)CVE-2024-6239 Installed by default in Ubuntu due to use by cupsPDF document format describes a Catalog which has a tree of destinations -essentially hyperlinks within the document. These can be either a page number
etc or a named location within the document. If open a crafted document with a
missing name property for a destination - name would then be NULL and would
trigger a NULL ptr deref -> crash -> DoS
[USN-6913-1] phpCAS vulnerability (02:26)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)CVE-2022-39369 Authentication library for PHP to allow PHP applications to authenticatesusers against a Central Authentication Server (ie. SSO).
When used for SSO, a client who is trying to use a web application getsdirected to the CAS. The CAS then authenticates the user and returns a service
ticket - the client then needs to validate this ticket with the CAS since it
could have possibly been injected via the application. To do this, pass the
ticket along with its own service identifier to CAS - and if this succeeds is
provided with the details of which user was authenticated etc.
For clients, previously would use HTTP headers to determine where the CASserver was to authenticate the ticket. Since these can be manipulated by a
malicious application, could essentially redirect the client to send the
ticket to the attacker who could then use that to impersonate the client and
login as the user.
Fix requires a refactor to include an additional API parameter which specifieseither a fixed CAS server for the client to use, or a mechanism to
auto-discover this in a secure way - either way, applications using phpCAS now
need to be updated.
[USN-6914-1] OCS Inventory vulnerability
1 CVEs addressed in Jammy (22.04 LTS)CVE-2022-39369 Same as above since has an embedded copy of phpCAS[USN-6916-1] Lua vulnerabilities (04:44)
2 CVEs addressed in Jammy (22.04 LTS)CVE-2022-33099 CVE-2022-28805 Heap buffer over-read and a possible heap buffer over-flow via recursive errorhandling - looks like both require to be interpreting malicious code
[USN-6920-1] EDK II vulnerabilities (05:04)
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)CVE-2019-0160 CVE-2018-3613 CVE-2018-12183 CVE-2018-12182 CVE-2017-5731 UEFI firmware implementation in qemu etcVarious missing bounds checks -> stack and heap buffer overflows -> DoS orcode execution in BIOS context -> privilege escalation within VM
[USN-6928-1] Python vulnerabilities (05:49)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)CVE-2024-4032 CVE-2024-0397 Memory race in the ssl module - can call into various functions to getcertificate information at the same time as certs are loaded if happening to
be doing a TLS handshake with a certificate directory configured - all via
different threads. Python would then possibly return inconsistent results
leading to various issues
Occurs since ssl module is implemented in C to interface with openssl and didnot properly lock access to the certificate store
[USN-6929-1, USN-6930-1] OpenJDK 8 and OpenJDK 11 vulnerabilities (06:52)
6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)CVE-2024-21147 CVE-2024-21145 CVE-2024-21144 CVE-2024-21140 CVE-2024-21138 CVE-2024-21131 Latest upstream releases of OpenJDK 8 and 118u422-b05-1, 11.0.24+8Fixes various issues in the Hotspot and Concurrency components[USN-6931-1, USN-6932-1] OpenJDK 17 and OpenJDK 21 vulnerabilities (07:11)
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)CVE-2024-21147 CVE-2024-21145 CVE-2024-21140 CVE-2024-21138 CVE-2024-21131 Latest upstream releases of OpenJDK 17 and 2117.0.12+7, 21.0.4+7Fixes the same issues in the Hotspot component[USN-6934-1] MySQL vulnerabilities (07:29)
15 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)CVE-2024-21185 CVE-2024-21179 CVE-2024-21177 CVE-2024-21173 CVE-2024-21171 CVE-2024-21165 CVE-2024-21163 CVE-2024-21162 CVE-2024-21142 CVE-2024-21134 CVE-2024-21130 CVE-2024-21129 CVE-2024-21127 CVE-2024-21125 CVE-2024-20996 Also latest upstream release8.0.39Bug fixes, possible new features and incompatible changes - consult releasenotes:
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-38.htmlhttps://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-39.htmlhttps://www.oracle.com/security-alerts/cpujul2024.html[USN-6917-1] Linux kernel vulnerabilities (07:57)
156 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)CVE-2024-35933 CVE-2024-35910 CVE-2024-27393 CVE-2024-27004 CVE-2024-27396 CVE-2024-36029 CVE-2024-26955 CVE-2024-35976 CVE-2024-26966 CVE-2024-26811 CVE-2024-35871 CVE-2023-52699 CVE-2024-35796 CVE-2024-35851 CVE-2024-35885 CVE-2024-35813 CVE-2024-35789 CVE-2024-35825 CVE-2024-26994 CVE-2024-35815 CVE-2024-27395 CVE-2024-26981 CVE-2024-35886 CVE-2024-26931 CVE-2024-35791 CVE-2024-35849 CVE-2024-35978 CVE-2024-35895 CVE-2024-35918 CVE-2024-35902 CVE-2024-26926 CVE-2024-35934 CVE-2024-35807 CVE-2024-35805 CVE-2024-36008 CVE-2024-26950 CVE-2024-26973 CVE-2024-35898 CVE-2024-35955 CVE-2024-36004 CVE-2024-36006 CVE-2024-35990 CVE-2024-35944 CVE-2024-36007 CVE-2024-35896 CVE-2024-35819 CVE-2024-26988 CVE-2024-35872 CVE-2024-36025 CVE-2024-26957 CVE-2024-35897 CVE-2024-27016 CVE-2024-35806 CVE-2024-35927 CVE-2022-48808 CVE-2024-35960 CVE-2024-27001 CVE-2024-35970 CVE-2024-35988 CVE-2024-36005 CVE-2024-35821 CVE-2024-35925 CVE-2024-26961 CVE-2024-35817 CVE-2024-26922 CVE-2024-26976 CVE-2024-35899 CVE-2024-35984 CVE-2024-26929 CVE-2024-27018 CVE-2024-35907 CVE-2024-35884 CVE-2023-52488 CVE-2024-35982 CVE-2024-26934 CVE-2024-26935 CVE-2024-35973 CVE-2024-26958 CVE-2024-27008 CVE-2024-35809 CVE-2024-26951 CVE-2024-35900 CVE-2024-35888 CVE-2024-26965 CVE-2024-26828 CVE-2024-35935 CVE-2024-35857 CVE-2024-26642 CVE-2024-26989 CVE-2024-35893 CVE-2024-35877 CVE-2024-27009 CVE-2024-35785 CVE-2024-35905 CVE-2024-27020 CVE-2024-35901 CVE-2024-26956 CVE-2024-26977 CVE-2024-26969 CVE-2024-26810 CVE-2024-26813 CVE-2024-35930 CVE-2024-26970 CVE-2024-26687 CVE-2024-27015 CVE-2024-35847 CVE-2024-26999 CVE-2024-35940 CVE-2024-35890 CVE-2024-26814 CVE-2024-35958 CVE-2024-35804 CVE-2024-26629 CVE-2024-26974 CVE-2023-52880 CVE-2024-26937 CVE-2024-35922 CVE-2024-35854 CVE-2024-27013 CVE-2024-35853 CVE-2024-27000 CVE-2024-35989 CVE-2024-35852 CVE-2024-35823 CVE-2024-36020 CVE-2024-36031 CVE-2024-26923 CVE-2024-26654 CVE-2024-26925 CVE-2024-35855 CVE-2024-35997 CVE-2024-35822 CVE-2024-27019 CVE-2024-35938 CVE-2024-35915 CVE-2024-35912 CVE-2024-35936 CVE-2024-35969 CVE-2024-27059 CVE-2024-26964 CVE-2024-27437 CVE-2024-26960 CVE-2024-35950 CVE-2024-26817 CVE-2024-26984 CVE-2024-26812 CVE-2024-35879 CVE-2024-26996 CVE-2024-26993 CVE-2024-25739 CVE-2024-24861 CVE-2024-24859 CVE-2024-24858 CVE-2024-24857 CVE-2024-23307 CVE-2022-38096 5.15 - Azure + FDE (CVM)[USN-6918-1] Linux kernel vulnerabilities
180 CVEs addressed in Noble (24.04 LTS)CVE-2024-24859 CVE-2024-24858 CVE-2024-24857 CVE-2024-35932 CVE-2024-35937 CVE-2024-27006 CVE-2024-35960 CVE-2024-27011 CVE-2024-35924 CVE-2024-35946 CVE-2024-35942 CVE-2024-35921 CVE-2024-35908 CVE-2024-26811 CVE-2024-27008 CVE-2024-35871 CVE-2024-36019 CVE-2024-35965 CVE-2024-35973 CVE-2024-26981 CVE-2024-27009 CVE-2024-27019 CVE-2024-36022 CVE-2024-35910 CVE-2024-35907 CVE-2024-35860 CVE-2024-35951 CVE-2024-26924 CVE-2024-26921 CVE-2024-35901 CVE-2024-35972 CVE-2024-35889 CVE-2024-27017 CVE-2024-35913 CVE-2024-35936 CVE-2024-36025 CVE-2024-35961 CVE-2024-35977 CVE-2024-35902 CVE-2024-26817 CVE-2024-26994 CVE-2023-52699 CVE-2024-35868 CVE-2024-35899 CVE-2024-35888 CVE-2024-26995 CVE-2024-35865 CVE-2024-26993 CVE-2024-35863 CVE-2024-35970 CVE-2024-35943 CVE-2024-35875 CVE-2024-35978 CVE-2024-27005 CVE-2024-35909 CVE-2024-35957 CVE-2024-35950 CVE-2024-26986 CVE-2024-36020 CVE-2024-35952 CVE-2024-26928 CVE-2024-35878 CVE-2024-35954 CVE-2024-26998 CVE-2024-36024 CVE-2024-26936 CVE-2024-27018 CVE-2024-35900 CVE-2024-35940 CVE-2024-35985 CVE-2024-35944 CVE-2024-35958 CVE-2024-35864 CVE-2024-35975 CVE-2024-27002 CVE-2024-36018 CVE-2024-35974 CVE-2024-26926 CVE-2024-35877 CVE-2024-35916 CVE-2024-35934 CVE-2024-35930 CVE-2024-35898 CVE-2024-35893 CVE-2024-35887 CVE-2024-35929 CVE-2024-26923 CVE-2024-35911 CVE-2024-35919 CVE-2024-26984 CVE-2024-27016 CVE-2024-35926 CVE-2024-35872 CVE-2024-35922 CVE-2024-27007 CVE-2024-35931 CVE-2024-36021 CVE-2024-35953 CVE-2024-27004 CVE-2024-27001 CVE-2024-27014 CVE-2024-35866 CVE-2024-27021 CVE-2024-35870 CVE-2024-35925 CVE-2024-35891 CVE-2024-26982 CVE-2024-35879 CVE-2024-35979 CVE-2024-35912 CVE-2024-35982 CVE-2024-27015 CVE-2024-26985 CVE-2024-35861 CVE-2024-35939 CVE-2024-27003 CVE-2024-35945 CVE-2024-35967 CVE-2024-35966 CVE-2024-26983 CVE-2024-35894 CVE-2024-35896 CVE-2024-36027 CVE-2024-35895 CVE-2024-26987 CVE-2024-35873 CVE-2024-26996 CVE-2024-26991 CVE-2024-27013 CVE-2024-36026 CVE-2024-26922 CVE-2024-35897 CVE-2024-35917 CVE-2024-35968 CVE-2024-35890 CVE-2024-35904 CVE-2024-35867 CVE-2024-35933 CVE-2024-35918 CVE-2024-35920 CVE-2024-26997 CVE-2024-35981 CVE-2024-35963 CVE-2024-26989 CVE-2024-26999 CVE-2024-35892 CVE-2024-27010 CVE-2024-26992 CVE-2024-35935 CVE-2024-27022 CVE-2024-35971 CVE-2024-35956 CVE-2024-35862 CVE-2024-35969 CVE-2024-27012 CVE-2024-26990 CVE-2024-35885 CVE-2024-26925 CVE-2024-35905 CVE-2024-35914 CVE-2024-35884 CVE-2024-35927 CVE-2024-35882 CVE-2024-26980 CVE-2024-35964 CVE-2024-35955 CVE-2024-27020 CVE-2024-35980 CVE-2024-35903 CVE-2024-35976 CVE-2024-35886 CVE-2024-35883 CVE-2024-35959 CVE-2024-35915 CVE-2024-35880 CVE-2024-27000 CVE-2024-35938 CVE-2024-35869 CVE-2024-36023 CVE-2024-26988 6.8 - Oracle[USN-6919-1] Linux kernel vulnerabilities
304 CVEs addressed in Jammy (22.04 LTS)CVE-2024-35976 CVE-2023-52880 CVE-2024-35849 CVE-2024-27073 CVE-2024-35934 CVE-2024-27038 CVE-2024-26973 CVE-2024-35853 CVE-2024-27047 CVE-2024-36007 CVE-2024-27024 CVE-2024-26750 CVE-2024-26833 CVE-2024-26960 CVE-2024-26929 CVE-2023-52488 CVE-2024-27417 CVE-2024-26922 CVE-2024-26863 CVE-2024-35890 CVE-2024-27015 CVE-2024-27395 CVE-2024-26779 CVE-2024-27419 CVE-2024-27013 CVE-2024-26981 CVE-2024-26798 CVE-2024-26895 CVE-2024-35922 CVE-2023-52699 CVE-2024-26883 CVE-2024-35871 CVE-2024-27410 CVE-2024-26884 CVE-2024-26885 CVE-2024-27074 CVE-2024-26751 CVE-2024-26857 CVE-2024-26848 CVE-2024-26901 CVE-2024-35844 CVE-2024-35809 CVE-2024-26687 CVE-2024-35988 CVE-2024-26835 CVE-2024-26764 CVE-2024-27020 CVE-2024-35907 CVE-2024-35886 CVE-2024-27077 CVE-2024-26787 CVE-2024-26950 CVE-2024-26974 CVE-2024-35905 CVE-2024-27008 CVE-2024-26744 CVE-2024-35935 CVE-2024-26988 CVE-2024-26748 CVE-2024-26776 CVE-2024-26907 CVE-2024-27053 CVE-2024-35970 CVE-2024-35950 CVE-2024-35854 CVE-2024-35822 CVE-2024-26961 CVE-2024-26733 CVE-2024-26773 CVE-2024-27390 CVE-2024-35888 CVE-2024-36029 CVE-2024-26643 CVE-2024-35821 CVE-2024-35819 CVE-2024-26809 CVE-2024-35984 CVE-2024-26851 CVE-2024-35940 CVE-2024-26654 CVE-2024-35910 CVE-2024-26891 CVE-2024-26793 CVE-2024-35938 CVE-2024-26736 CVE-2024-26583 CVE-2024-26870 CVE-2024-35828 CVE-2024-35885 CVE-2024-35958 CVE-2024-26889 CVE-2024-35899 CVE-2024-26839 CVE-2024-26894 CVE-2024-26937 CVE-2024-35925 CVE-2024-35933 CVE-2024-26771 CVE-2024-26923 CVE-2024-26852 CVE-2024-26924 CVE-2024-26872 CVE-2024-26774 CVE-2024-35930 CVE-2024-27065 CVE-2024-26993 CVE-2024-27034 CVE-2024-36020 CVE-2024-26802 CVE-2024-26976 CVE-2022-48808 CVE-2024-35847 CVE-2024-26996 CVE-2024-36025 CVE-2023-52652 CVE-2024-27403 CVE-2023-52447 CVE-2024-27037 CVE-2024-27413 CVE-2024-26749 CVE-2024-26956 CVE-2024-26958 CVE-2024-26754 CVE-2024-26812 CVE-2024-26772 CVE-2024-27436 CVE-2024-27437 CVE-2024-35912 CVE-2024-35805 CVE-2024-26845 CVE-2024-35990 CVE-2024-35791 CVE-2024-26906 CVE-2024-27039 CVE-2024-26915 CVE-2024-26970 CVE-2024-26782 CVE-2024-26813 CVE-2023-52645 CVE-2024-26935 CVE-2024-27076 CVE-2024-35823 CVE-2024-26743 CVE-2024-26846 CVE-2024-26811 CVE-2024-26989 CVE-2024-26642 CVE-2024-26659 CVE-2024-26766 CVE-2024-27393 CVE-2024-26859 CVE-2024-35898 CVE-2024-35893 CVE-2023-52640 CVE-2024-26795 CVE-2024-27009 CVE-2024-26791 CVE-2024-27043 CVE-2024-26934 CVE-2024-27051 CVE-2024-26804 CVE-2024-26878 CVE-2024-27030 CVE-2024-27000 CVE-2024-26777 CVE-2024-35825 CVE-2024-27415 CVE-2024-27001 CVE-2024-27004 CVE-2024-26769 CVE-2024-26816 CVE-2024-35807 CVE-2024-35900 CVE-2024-35851 CVE-2024-27052 CVE-2024-26805 CVE-2024-35804 CVE-2024-35944 CVE-2024-35895 CVE-2024-26897 CVE-2024-27045 CVE-2024-26814 CVE-2024-26801 CVE-2024-26874 CVE-2024-35982 CVE-2024-35915 CVE-2024-26820 CVE-2024-26603 CVE-2024-35997 CVE-2024-26688 CVE-2024-27054 CVE-2024-26828 CVE-2024-35857 CVE-2023-52662 CVE-2024-35989 CVE-2024-36005 CVE-2024-35785 CVE-2024-27396 CVE-2024-35884 CVE-2023-52650 CVE-2024-26882 CVE-2024-26879 CVE-2024-26898 CVE-2024-27388 CVE-2024-35879 CVE-2024-35918 CVE-2024-35978 CVE-2024-26585 CVE-2024-35872 CVE-2023-52497 CVE-2024-26778 CVE-2024-26999 CVE-2024-27046 CVE-2023-52434 CVE-2024-26862 CVE-2024-26810 CVE-2024-35796 CVE-2024-35960 CVE-2024-35969 CVE-2024-26966 CVE-2024-26856 CVE-2024-35936 CVE-2024-35955 CVE-2024-26763 CVE-2024-35806 CVE-2024-27059 CVE-2024-35855 CVE-2024-36008 CVE-2024-27075 CVE-2023-52620 CVE-2024-26931 CVE-2024-35813 CVE-2024-26788 CVE-2024-27412 CVE-2024-26861 CVE-2024-36004 CVE-2024-26951 CVE-2024-26903 CVE-2024-26584 CVE-2024-35877 CVE-2024-26792 CVE-2024-27416 CVE-2024-27432 CVE-2024-26651 CVE-2024-35852 CVE-2024-35973 CVE-2023-52656 CVE-2024-26965 CVE-2024-26969 CVE-2024-26840 CVE-2024-26817 CVE-2024-27028 CVE-2024-26752 CVE-2024-27016 CVE-2023-52641 CVE-2024-35789 CVE-2024-27078 CVE-2024-26994 CVE-2024-26629 CVE-2024-26803 CVE-2024-26977 CVE-2024-35830 CVE-2024-27019 CVE-2024-26957 CVE-2024-36006 CVE-2024-35817 CVE-2024-26601 CVE-2024-35845 CVE-2024-35897 CVE-2024-27414 CVE-2024-26855 CVE-2024-26877 CVE-2024-35829 CVE-2024-35896 CVE-2024-26875 CVE-2024-27405 CVE-2024-26747 CVE-2023-52644 CVE-2024-26881 CVE-2024-26735 CVE-2024-26843 CVE-2024-26926 CVE-2024-26880 CVE-2024-26964 CVE-2024-27044 CVE-2024-26737 CVE-2024-27431 CVE-2024-26955 CVE-2024-26790 CVE-2024-26925 CVE-2024-26838 CVE-2024-26984 CVE-2024-25739 CVE-2024-24861 CVE-2024-24859 CVE-2024-24858 CVE-2024-24857 CVE-2024-23307 CVE-2024-22099 CVE-2024-21823 CVE-2024-0841 CVE-2023-7042 CVE-2023-6270 CVE-2022-38096 5.15 - Raspi[USN-6922-1] Linux kernel vulnerabilities
4 CVEs addressed in Jammy (22.04 LTS)CVE-2024-25739 CVE-2024-24859 CVE-2024-24858 CVE-2024-24857 6.5 - NVIDIA[USN-6923-1, USN-6923-2] Linux kernel vulnerabilities
6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)CVE-2024-36016 CVE-2024-27017 CVE-2023-52752 CVE-2024-26952 CVE-2024-26886 CVE-2024-25742 5.15 - generic, AWS, GCP, GKE, HWE, Intel-IOTG, KVM, LowLatency, NVIDIA, Oracle, IBM, Raspi[USN-6921-1, USN-6921-2] Linux kernel vulnerabilities
7 CVEs addressed in Noble (24.04 LTS)CVE-2024-36016 CVE-2024-36008 CVE-2024-35984 CVE-2024-35992 CVE-2024-35997 CVE-2024-35990 CVE-2024-25742 6.8 - generic, AWS, GCP, GKE, IBM, NVIDIA, OEM, Raspi, LowLatency[USN-6924-1, USN-6924-2] Linux kernel vulnerabilities
7 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)CVE-2024-26583 CVE-2022-48655 CVE-2024-26907 CVE-2021-47131 CVE-2024-26585 CVE-2024-36016 CVE-2024-26584 5.4 - generic, AWS, Azure, Bluefield, GCP, GKE, HWE, IBM, IOT, KVM, Raspi, Xilinx-ZynqMP[USN-6925-1] Linux kernel vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM)CVE-2024-26882 3.13 - generic, lowlatency, server, virtual[USN-6926-1] Linux kernel vulnerabilities
30 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)CVE-2023-52752 CVE-2023-52444 CVE-2024-26882 CVE-2023-52449 CVE-2024-26934 CVE-2024-26840 CVE-2024-36016 CVE-2024-27020 CVE-2023-52443 CVE-2024-26923 CVE-2024-26857 CVE-2024-36902 CVE-2024-35982 CVE-2024-26886 CVE-2024-35978 CVE-2023-52469 CVE-2024-26901 CVE-2024-26884 CVE-2023-52436 CVE-2024-35997 CVE-2023-52620 CVE-2024-35984 CVE-2024-27013 CVE-2023-52435 CVE-2024-25744 CVE-2024-25739 CVE-2024-24859 CVE-2024-24858 CVE-2024-24857 CVE-2023-46343 4.15 - generic, AWS, HWE, GCP, KVM, Oracle[USN-6927-1] Linux kernel vulnerabilities
161 CVEs addressed in Focal (20.04 LTS)CVE-2024-27008 CVE-2024-26951 CVE-2024-26970 CVE-2024-35815 CVE-2024-26828 CVE-2024-35898 CVE-2024-26999 CVE-2024-35938 CVE-2024-27016 CVE-2024-35825 CVE-2024-35950 CVE-2024-26969 CVE-2024-26643 CVE-2024-26924 CVE-2024-36025 CVE-2023-52752 CVE-2024-35936 CVE-2024-35847 CVE-2024-26964 CVE-2024-35857 CVE-2024-35854 CVE-2024-27437 CVE-2024-35851 CVE-2024-26654 CVE-2024-26629 CVE-2024-26988 CVE-2024-27001 CVE-2024-26956 CVE-2024-35990 CVE-2024-27020 CVE-2024-26996 CVE-2024-35817 CVE-2024-26950 CVE-2024-26810 CVE-2024-35893 CVE-2024-35852 CVE-2024-35895 CVE-2024-27009 CVE-2024-26687 CVE-2024-35821 CVE-2024-35944 CVE-2024-27015 CVE-2024-35822 CVE-2024-35823 CVE-2024-35890 CVE-2024-35973 CVE-2024-27013 CVE-2024-35912 CVE-2024-26817 CVE-2024-35935 CVE-2024-26989 CVE-2024-35877 CVE-2024-26926 CVE-2024-35849 CVE-2024-26993 CVE-2024-26974 CVE-2024-35791 CVE-2024-35910 CVE-2024-36008 CVE-2024-35988 CVE-2024-26813 CVE-2024-36006 CVE-2024-35879 CVE-2024-35789 CVE-2024-35969 CVE-2024-35925 CVE-2024-26984 CVE-2024-35871 CVE-2024-35853 CVE-2024-27004 CVE-2024-35899 CVE-2024-26931 CVE-2024-35934 CVE-2024-35796 CVE-2024-36020 CVE-2023-52699 CVE-2024-35930 CVE-2024-26957 CVE-2024-35804 CVE-2024-26922 CVE-2024-26814 CVE-2024-35900 CVE-2024-27395 CVE-2024-26642 CVE-2024-26960 CVE-2024-26935 CVE-2024-36005 CVE-2024-26981 CVE-2024-26934 CVE-2024-26976 CVE-2024-35806 CVE-2024-35915 CVE-2024-35922 CVE-2022-48808 CVE-2024-26973 CVE-2024-35933 CVE-2024-35785 CVE-2024-26937 CVE-2024-35918 CVE-2024-27000 CVE-2024-26977 CVE-2024-27393 CVE-2024-35984 CVE-2024-35970 CVE-2024-27019 CVE-2024-26955 CVE-2024-35888 CVE-2024-35976 CVE-2024-35982 CVE-2024-35805 CVE-2024-35960 CVE-2024-26812 CVE-2024-27017 CVE-2024-26966 CVE-2023-52880 CVE-2024-27396 CVE-2024-35809 CVE-2024-35997 CVE-2024-26958 CVE-2024-26961 CVE-2024-26923 CVE-2024-26811 CVE-2024-35813 CVE-2024-36029 CVE-2024-35896 CVE-2024-26965 CVE-2024-35885 CVE-2024-35855 CVE-2024-36007 CVE-2024-26929 CVE-2024-35897 CVE-2024-35905 CVE-2024-27018 CVE-2024-26886 CVE-2024-35884 CVE-2023-52488 CVE-2024-36016 CVE-2024-35872 CVE-2024-35819 CVE-2024-35907 CVE-2024-26952 CVE-2024-35940 CVE-2024-35989 CVE-2024-27059 CVE-2024-26925 CVE-2024-35955 CVE-2024-36004 CVE-2024-26994 CVE-2024-35807 CVE-2024-35886 CVE-2024-35978 CVE-2024-35958 CVE-2024-35902 CVE-2024-25742 CVE-2024-25739 CVE-2024-24861 CVE-2024-24859 CVE-2024-24858 CVE-2024-24857 CVE-2024-23307 CVE-2022-38096 5.15 - GCPGoings on in Ubuntu Security Community
Discussion of testing for security updates in light of CrowdStrike (11:20)
Recent outage of over 8 million Windows machines running CrowdStrike Falconhttps://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/Initially very little information on what happened - CS have now released moredetails about the apparent testing that was done but clearly were never
actually testing the combination of Windows + Falcon + Rapid Response Content
otherwise would have observed this failure immediately
Also clearly didn’t have any kind of staged/phased update process in place eitherIf you want to read a good analysis of the response from CS,https://verse.systems/blog/post/2024-07-25-parsing-crowdstrikes-post/
Toby Murray (full disclosure, my brother) - Associate Professor andCo-Lead of Computer Science Research Group at School of Computing and
Information Systems, University of Melbourne, Director, Defence Science
Institute (Vic & Tas)
Future plans from CS now include gradual deployment of rules with “canaries” etc and then increased testing:Local dev testing, content update testing, stress, fuzz, fault-injection,stability and interface testing
Toby (not surprisingly as an expert in formal software verification)advocates for a formal approach to validating rules and in-kernel code etc
What can we learn from this for Ubuntu?Formal methods might be tractable for a large company like CS who isdeveloping a single, specific product like Falcon (particularly if they can
reduce the size of their kernel module), this is not the case for a Linux
distribution like Ubuntu which collates over 30,000 different open source
software projects
over 4TB of source code across the various releasesInstead have to take the pragmatic approach of thorough testingFor regular SRUs - detailed review by SRU team including a thorough testplan, cross-package testing via Autopkgtest plus a minimum 7 day “soak”
testing in the proposed pocket of the release before being pushed into the
-updates pocket
Once in -updates, Phased Updates implements the gradual deployment model -you can check the progress of various updates at
https://ubuntu-archive-team.ubuntu.com/phased-updates.html
Watches for increased error reports via errors.ubuntu.com (captured viaapport/whoopsie) and if detected stops the release of the package to users
Compare that to the process for Security updatesSeparate -security pocket in the archive which packages get published toimmediately
No standardised review by separate teaminstead adhoc reviews within the security teamNo documented test plan per updateinstead thorough test procedures including:checking for any changes in the build log (e.g. new compilerwarnings/errors) and comparing the difference between the generated
binaries (e.g. new / changed / missing symbols - ABI breaks)
testing of the patched code including stepping through it with adebugger
running any existing PoC or creating one if none exists and isfeasible
running any existing unit/integration tests within the package(including dep8/autopkgtests)
test apt upgrade of the package is smoothQA regression testing scripts - maintained by the security team,implement various regression tests and system-level tests for
different packages to exercise them in various different
configurations
Cross-package testing via security-britney - instance of the autopkgtestinfrastructure that runs against the public Ubuntu Security Proposed PPA
(and we have a similar internal instance for the different private PPAs we
use for embargoed updates or ESM etc)
No phased updates - instead immediate updates via specificsecurity.ubuntu.com archive, combined with unattended-upgrades
designed to deliver security updates as soon as possible to remediateissues
In general, I would argue that the process we have in place results in morethorough testing for security updates - particularly checking for anything
anomalous like new compiler warnings / symbols / unexpected changes in
binaries etc as well as more thorough, standardised testing for packages
through the QA Regression Testing repo scripts
However, the lack of phased/progressive updates combined with the separatesecurity.ubuntu.com archive and unattended-upgrades on by default, means any
security update is delivered to Ubuntu users within 24 hours (on average) -
BUT then any regression is also rolled out to all users in 24 hours as well
As such, kicking off discussions around possible changes to our deploymentstrategy to potentially introduce some more guard rails on the deployment side
If you have any thoughts, please let us knowGet in contact
#ubuntu-security on the Libera.Chat IRC networkubuntu-hardened mailing listSecurity section on discourse.ubuntu.com@[email protected], @ubuntu_sec on twitter 
View all episodes
